[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] Novell WebAcces
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: [Full-Disclosure] Novell WebAcces
- From: "noAcces" <noacces@xxxxxxxx>
- Date: Fri, 07 Jan 2005 09:42:04 GMT
<html><head><style type="text/css">body{font:12px
Arial;margin:3px;overflow-y:auto;overflow-x:auto}p{margin:0px;}blockquote, ol,
ul{margin-top:0px;margin-bottom:0px;}</style></head>
<body><div style="DISPLAY: block; FONT-SIZE: 12px; FONT-FAMILY:
Arial"><P> </P>
<P>I was playing around when I found a small problem with Novell's
WebAcces.<BR>With User.lang you can give in you're language as parameter I
tried some different stuff there and when I tried "> so that the URL would
be hxxp://www.notsohappyserver.com/servlet/webacc?User.Lang="> a Link
apeared I clicked it and so I found some unprotected dirs.<BR>The problem is
that the file
hxxps://www.notsohappyserver/com/novell/webaccess/WebAccessUninstall.ini
contains info about the servername context and install paths<BR>It seems that
this is working on almost every webacces server.</P>
<P> </P></br><p style="margin-top:11px;padding-top:3px;background-image:
url(http://mail.lycos.co.uk/Images/Mail/_content/dot.gif);background-repeat:
repeat-x;background-position: 0px 0px;"><P><a
href="http://mail.lycos.nl/?TARGETCODE=NL_email_footer_xmas";>Kerst actie bij
Lycos Mail: 50% korting op Lycos Xtra en Max!</A></div></body></html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html