[Full-Disclosure] Novell WebAcces
From: noAcces (noacces_at_lycos.nl)
Date: 01/07/05
- Previous message: Ben McGinnes: "Re: [Full-Disclosure] Possible DNS compromise/poisoning?"
- Next in thread: DanBUK: "Re: [Full-Disclosure] Novell WebAcces"
- Reply: DanBUK: "Re: [Full-Disclosure] Novell WebAcces"
- Maybe reply: Horseman, Michael W.: "RE: [Full-Disclosure] Novell WebAcces"
- Maybe reply: noAcces: "Re: [Full-Disclosure] Novell WebAcces"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Fri, 07 Jan 2005 09:42:04 GMT
I was playing around when I found a small problem with Novell's WebAcces.
With User.lang you can give in you're language as parameter I tried some different stuff there and when I tried "> so that the URL would be hxxp://www.notsohappyserver.com/servlet/webacc?User.Lang="> a Link apeared I clicked it and so I found some unprotected dirs.
The problem is that the file hxxps://www.notsohappyserver/com/novell/webaccess/WebAccessUninstall.ini contains info about the servername context and install paths
It seems that this is working on almost every webacces server.
Kerst actie bij Lycos Mail: 50% korting op Lycos Xtra en Max!
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Ben McGinnes: "Re: [Full-Disclosure] Possible DNS compromise/poisoning?"
- Next in thread: DanBUK: "Re: [Full-Disclosure] Novell WebAcces"
- Reply: DanBUK: "Re: [Full-Disclosure] Novell WebAcces"
- Maybe reply: Horseman, Michael W.: "RE: [Full-Disclosure] Novell WebAcces"
- Maybe reply: noAcces: "Re: [Full-Disclosure] Novell WebAcces"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
