| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <000701c46fea$626c1f60$fc11010a@msad.brookshires.net> From: toddtowles at brookshires.com (Todd Towles) Subject: Vulnerability in sourceforge.net Sounds like they should have configured that page a bit different...made it run under a little less access...or said I say..it is a mis-configuration. =) -----Original Message----- From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Dan Duplito Sent: Wednesday, July 21, 2004 6:37 PM To: full-disclosure@...ts.netsys.com Subject: Re: [Full-Disclosure] Vulnerability in sourceforge.net > nicolas vigier <boklm@...s-attacks.org> wrote: > > It's not a mis-configuration, this does not allow you to look at any > secret file, only the files that the user nobody can read. well, user "nobody" has shell access (/bin/sh) and is allowed read access to /etc/passwd file and probably other system files as well. i'm wondering if the discoverer (Alexander) already informed the authors of the app... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists