[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200605100308.k4A38ceJ003743@cairo.mitre.org>
Date: Tue, 9 May 2006 23:08:38 -0400 (EDT)
From: "Steven M. Christey" <coley@...re.org>
To: bugtraq@...urityfocus.com
Subject: Re: tseekdir.cgi<--Local File Include
>foud by: BoNy-m
Also apparently found by durito in September 2004, as identified in
the Turbo Seek product.
> /tseekdir.cgi?id=1055&location=/etc/passwd%00
This is the same exploit vector as what was reported in Secunia
SA12500 and BID 11163:
http://www.securityfocus.com/bid/11163/exploit
http://secunia.com/advisories/12500/
and claimed by Secunia to be fixed in 1.7.2.
> /tseekdir.cgi?location=/../../../../etc/passwd%00
The use of ".." seems to be a new attack that IDS people might want to
note, but in my experience, you can't be sure whether this is
exhbiting a distinct bug from the absolute path issue that was already
mentioned (one of the fun things about path traversal in general).
However, this would require testing against 1.7.2 or later versions
(since fixes for absolute path issues might still allow ".."
variants).
- Steve
P.S. to moderator - feel free to privately ask me to shut up about all
these errors, I swear I only comment on a small percentage of them :)
Powered by blists - more mailing lists