lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 12 Feb 2007 15:32:50 -0500 From: "Billy Hoffman" <Billy.Hoffman@...dynamics.com> To: "ascii" <ascii@...amail.com>, <full-disclosure@...ts.grok.org.uk>, <websecurity@...appsec.org> Subject: Re: [WEB SECURITY] Plain Old Webserver - The coolest firefox extension All depends on in the request processing you apply the fix. Its possible that URL Decoding hasn't occuried yet, whereby I can bypass your filter pretty easily. Not to mention Unicode... Billy Hoffman -- Lead Researcher, SPI Labs SPI Dynamics Inc. - http://www.spidynamics.com Phone: 678-781-4800 Direct: 678-781-4845 -----Original Message----- From: ascii [mailto:ascii@...amail.com] Sent: Friday, February 09, 2007 7:29 PM To: full-disclosure@...ts.grok.org.uk; websecurity@...appsec.org Subject: Re: [WEB SECURITY] Plain Old Webserver - The coolest firefox extension pdp (architect) wrote: > hei man, this is not a news :) hehe, the maintainer should update the changelog with this feature then :-) i suggest this fix for the directory traversal bug path = str_replace('../', '', path); regards, Francesco 'ascii' Ongaro http://www.ush.it/ ..././..././..././..././ how can't you love funsec? ------------------------------------------------------------------------ ---- Join us on IRC: irc.freenode.net #webappsec The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists