Name : File Discovery Vulnerability (11-20-2000) About : script "HIS Auktion 1.62" is a catalog of links CGI script. The creators site http://www.his-software.de Problem: Vulnerabilities exists such that someone can identify if sensitive files exists and determine user ids on the BBDISPLAY server(s) and use those to launch a password brute-force attack. Exploit: http://www.victim.com/cgi-bin/bb-hist.sh?HISTFILE=/home/* Loki Fate Research Labs loki@f8labs.com