Web Site Pro Allows Unauthorized File Uploads

 

Reported August 24, 2000 by
Crono

VERSIONS AFFECTED
  • O'Reilly Website Pro 2.3.7

DESCRIPTION

By default Website Pro creates several directories for use during the operation of the Web server, which have loose security permissions that allow any user to access them. One directory in particular (cgi-win) contains a program (uploader.exe) that allows a user to upload files to the Web server. Because the directory and uploader.exe program have loose security permissions, an anonymous user can access the program via a URL to upload files to the Web server.

VENDOR RESPONSE

O'Reilly is aware of this problem, however no response was known at the time of this writing. Users should carefully inspect the security permissions for each Web server directory to ensure no unauthorized access would be allowed.

CREDIT
Discovered by Crono

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish