On a recent test I found a website with a directory traversal attack that let me read any file. The server was Win 2003 and I read the obvious win.ini and boot.ini. I then read the Administrators desktop.ini to prove I could. I tried but couldn't read the registry files (not expected but worth trying).
The web server was an unusual one, part of an app so I couldn't find the web root. The IIS web root just had an "Under Construction" file in it so nothing interesting in there. So, without being able to do directory listings to see what is there, what files would you read on this box and why? Robin _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
