[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : QuotaAdvisor 4.1 by WQuinn

Title: QuotaAdvisor 4.1 by WQuinn
Released by: Delphis Consulting Plc
Date: 26th September 2000
Printable version: Click here
============================================================================

    Delphis Consulting Plc

============================================================================



   Security Team Advisories

       [26/09/2000]



    securityteam@delphisplc.com

  [http://www.delphisplc.com/thinking/whitepapers/]



============================================================================

Adv     :       DST2K0040

Title   :       QuotaAdvisor 4.1 by WQuinn susceptible to any user being

able to list (not read) all files on any server running

QuotaAdvisor.

Author  :       DCIST (securityteam@delphisplc.com)

O/S     :       Windows NT 4.0 Server (SP5)

Product :       QuotaAdvisor 4.1 (Build 450)

Date    :       26/09/2000



I.    Description



II.   Solution



III.  Disclaimer





============================================================================



I. Description

============================================================================



Vendor URL: http://www.wquinn.com/



Delphis Consulting Internet Security Team (DCIST) discovered the following

vulnerability in WQuinn QuotaAdvisor under WindowsNT.



Severity: Low



It is possible to list all of the files contained on a file system which

is on a server with QuotaAdvisor running upon it. This requires only a

normal user account (i.e. non adminstrator/poweruser). This normal user

account can list the top level administration shares but not the contents.

However if you run a report upon that share the report will contain a

complete list of files and their physical locations.



II. Solution

============================================================================



Vendor Status: Informed



III. Disclaimer

============================================================================

THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT

THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR

IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.  NEITHER THE AUTHOR NOR THE

PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR

CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE

PLACED ON, THIS INFORMATION FOR ANY PURPOSE.

============================================================================

This e-mail and any files transmitted with it are intended solely for the

addressee and are confidential. They may also be legally

privileged.Copyright in them is reserved by Delphis Consulting PLC

["Delphis"] and they must not be disclosed to, or used by, anyone other than

the addressee.If you have received this e-mail and any accompanying files in

error, you may not copy, publish or use them in any way and you should

delete them from your system and notify us immediately.E-mails are not

secure.  Delphis does not accept responsibility for changes to e-mails that

occur after they have been sent.  Any opinions expressed in this e-mail may

be personal to the author and may not necessarily reflect the opinions of

Delphis








(C) 1999-2000 All rights reserved.