lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20050218051844.2758.qmail@www.securityfocus.com>
Date: 18 Feb 2005 05:18:44 -0000
From: Vade 79 <v9@...ehalo.deadpig.org>
To: bugtraq@...urityfocus.com
Subject: Re: NetSec Security Advisory: Multiple Vulnerabilities Resulting
    From Use Of Apple OSX HFS+


In-Reply-To: <DBA4F9D89F7DD54DB5E33F41D90DD3E003277F3A@...-exu1.netsec.net>

>VULNERABILITY DETAILS
>
>Name:		Multiple Vulnerabilities Resulting From Use Of Apple 
OSX
>HFS+=20
>Impact:    	HIGH
>Platform:  	Apple OS X (Darwin) <=3D 10.2
>Method:	Possible unauthorized access to file system data
>Identifier:	07012005-01

After reading your advisory I do agree it is a security issue, and is 
certainly worthy of reporting/posting.  However a HIGH impact? I just 
don't see it; at most they can read CGI scripts, and most of the time 
they can't even do that.  For example, I tested it on my OSX Apache 
server and my (perl) scripts were forbidden to read by default using the 
method mentioned("/path/to/file/..namedfork/data").

Sorry if this seems like a rant.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ