+++>===] Written by Nemesystm, leader of the DHC [===<+++ ++++>==] Visit us at dhc1.cjb.net You want 2 [==<++++ Subject: Infradig 1.225 Security Hole Description program: Infradig is a HTTP Server with a Mail daemon, etc. Description hole: There are no restrictions on the online administration bit of the server software. <-[what was used]-> Infradig 1.225 for Windows 95/98 downloaded from cnet.com Installed with the typical installation, no standard settings changed. This problem worked on: Windows 98 + IE5.0 <-[how to create the problem]-> The administration service runs on port 81 (as adefault, can be set). Connecting to: http://www.server.com:81/sysadmin/sysadmin.cgi will let you edit accounts, add users, set all kinds of things like ports, and start services. (FTP, etc) On the HTTP server, you can go to http://www.server.com/sysadmin/ and it will/should automatically refer you to the administration service. <-[logs]-> when you go to the administration page, your IP is logged. you can find the logs in programdir\logs. It also has what you do, and what browser you used. <-[fix]-> Delete: program dir\inetpub\sysadmin\*.* program dir\inetpub\mailadmin\*.* Change all user things, etc, by rightclicking the server icon in the bottom right corner of the screen and choosing "Manual configure" Greetz, nemesystm, leader of the DHC (dhc1.cjb.net) >>>The End<<< auto45040@hushmail.com for questions.