Hello,
Plugin 10297 is good because it reports things such as:
It is possible to read arbitrary files on the remote server by
prepending ../../ or ..\\..\\ in front on the file name. It was possible
to read arbitrary files using the URL :
http://xxx.xxx.xxx.xx:80..\\..\\..\\..\\..\\..\\windows\\win.ini Which
produces : {contents of win.ini}
It is possible to read arbitrary files on the remote server by
prepending ../../ or ..\\..\\ in front on the file name. It was possible
to read arbitrary files using the URL :
http://xxx.xxx.xx.xx:9095//../../../../../../../../../etc/passwd Which
produces : {contents of passwd}
However, I find that the URL that it reports does not work for me.
Perhaps it is something to do with the browser I use - not sure really.
It would be nice for the URL in the report to work. For example I once
figured out that instead of the reported URL:
http://xxx.xxx.xx.xxx:9095//../../../../../../../../../etc/passwd
this URL worked instead and gave me the passwd file:
http://xxx.xxx.xx.xx:9095/..\\..\\..\\..\\..\\..\\..\\..\\..\\etc\\passw
d
I can't remember how I figured that out and have had no success at
"converting"
http://xxx.xxx.xx.xx:80..\\..\\..\\..\\..\\..\\windows\\win.ini into a
URL that gets win.ini even though the plugin clearly suceeded.
(I like my "customers" to be able to see this problem for themselves).
--
Carl Nelson
Distributed Systems Support Section, Computer Centre, University of
Leicester, Leicester, LE1 7RH, U.K.
Tel: +44 (0)116 252 2060, Fax: +44 (0)116 252 5027
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
|