COMMAND

    QuotaAdvisor

SYSTEMS AFFECTED

    QuotaAdvisor 4.1 (Build 450) by WQuinn

PROBLEM

    Following  is  based  on  a  Delphis  Consulting Security Advisory
    DST2K0040.   Delphis  Consulting  Internet  Security  Team (DCIST)
    discovered  the  following  vulnerability  in  WQuinn QuotaAdvisor
    under WindowsNT.

    It is possible to list all of the files contained on a file system
    which is  on a  server with  QuotaAdvisor running  upon it.   This
    requires    only    a    normal    user    account    (i.e.    non
    adminstrator/poweruser).   This normal  user account  can list the
    top level administration shares but not the contents.  However  if
    you  run  a  report  upon  that  share  the  report will contain a
    complete list of files and their physical locations.

SOLUTION

    Nothing yet.