lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 30 May 2013 16:36:55 -0400 From: "Anthony G. Basile" <basile@...nsource.dyc.edu> To: full-disclosure@...ts.grok.org.uk Subject: No Directory Traversal Vulnerability in sthttpd Hi everyone, I've gotten reports from a couple of directions now regarding Metropolis Hexor's directory traversal attack against thttpd 2.25b [1]. Since I'm maintaining sthttpd, a fork of thttpd [2], I thought I'd better let people know that the exploit does not affect sthttpd. Several people have tried and just can't trigger it. sthttpd has about a dozen patches that have accumulated over the years (one reason for the fork) and one of those is the fix. Please play with the code base [3] and report problems (or better yet, submit patches) and I will address them issues. I'm not on the list so please cc me. Refs. [1] http://seclists.org/fulldisclosure/2013/May/106 [2] http://opensource.dyc.edu/sthttpd [3] http://opensource.dyc.edu/gitweb/?p=sthttpd.git;a=summary -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists