lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <51A7B867.5080800@opensource.dyc.edu>
Date: Thu, 30 May 2013 16:36:55 -0400
From: "Anthony G. Basile" <basile@...nsource.dyc.edu>
To: full-disclosure@...ts.grok.org.uk
Subject: No Directory Traversal Vulnerability in sthttpd

Hi everyone,

I've gotten reports from a couple of directions now regarding Metropolis 
Hexor's directory traversal attack against thttpd 2.25b [1].  Since I'm 
maintaining sthttpd, a fork of thttpd [2], I thought I'd better let 
people know that the exploit does not affect sthttpd.  Several people 
have tried and just can't trigger it.  sthttpd has about a dozen patches 
that have accumulated over the years (one reason for the fork) and one 
of those is the fix.

Please play with the code base [3] and report problems (or better yet, 
submit patches) and I will address them issues.

I'm not on the list so please cc me.

Refs.

   [1] http://seclists.org/fulldisclosure/2013/May/106
   [2] http://opensource.dyc.edu/sthttpd
   [3] http://opensource.dyc.edu/gitweb/?p=sthttpd.git;a=summary

-- 
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ