[Full-Disclosure] Novell WebAcces

From: noAcces (noacces_at_lycos.nl)
Date: 01/07/05

  • Next message: Daniel Fischer: "Re: [Full-Disclosure] This sums up Yahoo!s securitypolicyto a -T-"
    To: full-disclosure@lists.netsys.com
    Date: Fri, 07 Jan 2005 09:42:04 GMT 
    
    
    

     

    I was playing around when I found a small problem with Novell's WebAcces.
    With User.lang you can give in you're language as parameter I tried some different stuff there and when I tried "> so that the URL would be hxxp://www.notsohappyserver.com/servlet/webacc?User.Lang="> a Link apeared I clicked it and so I found some unprotected dirs.
    The problem is that the file hxxps://www.notsohappyserver/com/novell/webaccess/WebAccessUninstall.ini contains info about the servername context and install paths
    It seems that this is working on almost every webacces server.

     


    Kerst actie bij Lycos Mail: 50% korting op Lycos Xtra en Max!

    
    

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Daniel Fischer: "Re: [Full-Disclosure] This sums up Yahoo!s securitypolicyto a -T-"