EXPLOITS

Qbik WinGate Standard 3.0.5 - Log Service Directory Traversal

Author: eEYe
type: remote
platform: multiple
port: 
date_added: 1999-02-22  
date_updated: 2012-06-23  
verified: 1  
codes: OSVDB-83382  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 19383.txt  

source: https://www.securityfocus.com/bid/507/info


The WinGate log service is configured by default to only allow connections from 127.0.0.1, but can be set to allow connections from anywhere. Either way, there is a vulnerability that will allow any file to be read through the log service port over an http connection.

Update (October 16, 2000):

Blue Panda <bluepanda@dwarf.box.sk> has discovered that a variation of the vulnerability exists in recent versions. Using escaped characters, one can achieve the same effect.

There are various ways of exploiting this.
NT and Win9x:
h t t p://www.server.com:8010/c:/
h t t p://www.server.com:8010//
Win9x only:
h t t p://www.server.com:8010/..../