Date: Fri, 9 Apr 1999 20:41:39 +0100 From: Mnemonix To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Webcom's CGI Guestbook for Win32 web servers I reported a while back on Webcom's (www.webcom.se) CGI Guestbook (wguest.exe and rguest.exe) having a number of security problems where any text based file on an NT machine could be read from the file system provided the attacker knew the path to the file and the Anonymous Internet Account (IUSR_MACHINENAME on IIS) has the NTFS read right to the file in question. On machines such as Windows 95/98 without local file security every file is readable. wguest.exe is used to write to the Guestbook and rguest.exe is used to read from the Guestbook Their latest version has made this simpler: A request for http://server/cgi-bin/wguest.exe?template=c:\boot.ini will return the remote Web server's boot.ini and http://server/cgi-bin/rguest.exe?template=c:\winnt\system32\$winnt$.inf will return the $winnt$.inf file. Why the developers at Webcom have not resolved this issue in their latest version is bordering the criminal. I received no response to my mail to them about this. Anybody using this Guestbook should remove it as soon as possible and obtain another CGI Guestbook if you really need one. Cheers, David Litchfield http://www.arca.com http://www.infowar.co.uk/mnemonix/