| VID |
22219 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The WebSite Pro Web Server is vulnerable to a directory revealing vulnerability.
Website Pro version 2.4.9 and earlier have a vulnerability that a remote attacker can get the complete absolute directory for web documents on a target server. The default errorcode 404 output displays the absolute path of the web document directory on the server running Website Pro.
It is possible to discover the physical location of a virtual web directory of target host by issuing the command:
GET /HTTP1.0/
This can reveal valuable information to an attacker, allowing them to focus their attack.
* References:
http://www.securityfocus.com/archive/1/41798
* Platforms Affected:
OReilly Software WebSite Professional 2.4.9 and earlier
Microsoft Windows Any version |
| Recommendation |
O'Reilly will no longer sell or support WebSite Professional. WebSite has been continued development of the product, now named VisNetic WebSite.
Use another Web Server or the latest version of VisNetic WebSite (3.5.19 or later), available from VisNetic Software Web site at http://www.deerfield.com/products/visnetic_website/ |
| Related URL |
CVE-2000-0066 (CVE) |
| Related URL |
932 (SecurityFocus) |
| Related URL |
(ISS) |
|
