lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: venom at gen-x.co.nz (VeNoMouS) Subject: ByteHoard Directory Traversal Vulnerability all files or just the contents of a folder? ----- Original Message ----- From: "Sintelli SINTRAQ" <sintraq@...telli.com> To: <full-disclosure@...ts.netsys.com>; <bugtraq@...urityfocus.com> Sent: Monday, October 20, 2003 8:16 AM Subject: [Full-Disclosure] ByteHoard Directory Traversal Vulnerability > ByteHoard Directory Traversal Vulnerability > 17 October 2003 > > Original Advisory > http://www.sintelli.com/adv/sa-2003-03-bytehoard.pdf > > Background > ByteHoard is online storage system whereby users can upload and download > their files from anywhere with an Internet connection. > > More information about the product is available here: > http://bytehoard.sourceforge.net/index.php?about > > Description > ByteHoard does not properly validate user-supplied input for URL > requests. This allows directory traversal characters to be added to URL > request and thus allows directory traversal. > > An example is: > http://victim.com/bytehoard/index.php?infolder=../../../../ > > Impact > It is possible for an attacker to view all files on the system. > > Versions affected > Version 0.7 > > Solution > Upgrade to version 0.71 > > Tar version > http://prdownloads.sourceforge.net/bytehoard/bytehoard_point_seven_one.tar > gz?download > > Zip version > http://prdownloads.sourceforge.net/bytehoard/bytehoard_point_seven_one.zip > ?download > > > Vulnerability History > 16 Oct 2003 Identified by Ezhilan of Sintelli > 17 Oct 2003 Issue disclosed to ByteHoard developer (Andrew Godwin) > 17 Oct 2003 Vulnerability confirmed by Andrew Godwin > 17 Oct 2003 Sintelli provided with fix > 17 Oct 2003 Sintelli confirms vulnerability has been addressed > 17 Oct 2003 Fix publicly available > 17 Oct 2003 Sintelli Public Disclosure > > Credit > Ezhilan of Sintelli discovered this vulnerability. > > About Sintelli: > Sintelli is the world's largest provider of security intelligence > solutions. Sintelli is the definitive source for IT Security > intelligence and is a provider of third generation intelligence security > solutions. > > Request a free trial of our alerting solution by clicking here > http://www.sintelli.com/free-trial.htm > > Copyright 2003 Sintelli Limited. All rights reserved. www.sintelli.com > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists