htp.print in pen-test

From: Scalise, Marzio (marzioscalise@KPMG.it)
Date: 12/17/01


From: "Scalise, Marzio" <marzioscalise@KPMG.it>
To: pen-test@securityfocus.com
Date: Mon, 17 Dec 2001 18:26:47 +0100

Hi,

i have found a command "htp.print" in a site during a pen-test.
the problem is the request of one type of page,
When i insert the htp.print in the browser command line.

eg. www.this-is-my-company.com/oracle-directory/htp.print(sysdate)

and i receive the system date of the target machine.

In my internet search i found other htp command like htp.opentable, ecc....

The system is apache 1.3.9 on solaris
any idea for exploit this bug?

thank you

Marzio

**************************************************************************
The information in this email is confidential and may be legally
privileged.
It is intended solely for the addressee. Access to this email by
anyone else is unauthorized.

If you are not the intended recipient, any disclosure, copying,
distribution or any action taken or omitted to be taken in reliance
on it, is prohibited and may be unlawful. When addressed to
our clients any opinions or advice contained in this email are
subject to the terms and conditions expressed in the governing
KPMG client engagement letter.
**************************************************************************

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



Relevant Pages

  • Re: Accessing registry through command line
    ... Accessing registry through command line ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Command line network sniffing tools on NT/W2K
    ... command line is available on an exploited dual homed NT or W2K box. ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • RE: Command line network sniffing tools on NT/W2K
    ... Command line network sniffing tools on NT/W2K ... why not install WinVNC...you can install it and ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • getting a double quote by the xp_cmdshell
    ... The NT TYPE command works if I enclose the whole ... quotes around this - inside the above xp_cmdshell ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: Accessing registry through command line
    ... Accessing registry through command line ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)