Hello, Plugin 10297 is good because it reports things such as:
It is possible to read arbitrary files on the remote server by prepending ../../ or ..\\..\\ in front on the file name. It was possible to read arbitrary files using the URL : http://xxx.xxx.xxx.xx:80..\\..\\..\\..\\..\\..\\windows\\win.ini Which produces : {contents of win.ini} It is possible to read arbitrary files on the remote server by prepending ../../ or ..\\..\\ in front on the file name. It was possible to read arbitrary files using the URL : http://xxx.xxx.xx.xx:9095//../../../../../../../../../etc/passwd Which produces : {contents of passwd} However, I find that the URL that it reports does not work for me. Perhaps it is something to do with the browser I use - not sure really. It would be nice for the URL in the report to work. For example I once figured out that instead of the reported URL: http://xxx.xxx.xx.xxx:9095//../../../../../../../../../etc/passwd this URL worked instead and gave me the passwd file: http://xxx.xxx.xx.xx:9095/..\\..\\..\\..\\..\\..\\..\\..\\..\\etc\\passw d I can't remember how I figured that out and have had no success at "converting" http://xxx.xxx.xx.xx:80..\\..\\..\\..\\..\\..\\windows\\win.ini into a URL that gets win.ini even though the plugin clearly suceeded. (I like my "customers" to be able to see this problem for themselves). -- Carl Nelson Distributed Systems Support Section, Computer Centre, University of Leicester, Leicester, LE1 7RH, U.K. Tel: +44 (0)116 252 2060, Fax: +44 (0)116 252 5027 _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
