Bugtraq mailing list archives
Roxen Web Server Vulnerability
From: zorgon () SDF FREESHELL ORG (zorgon () SDF FREESHELL ORG)
Date: Fri, 21 Jul 2000 07:48:18 +0000
Hi all, Excuse-me for my poor english :) I discover two problems in Roxen Web server 2.0.46 (and certainly prior). Perhaps it doesn't important. * First problem: Suppose that Roxen is installed by default in /usr/local, the /usr/local/roxen/configurations/_configinterface/settings/administrator_uid file holds the crypt password of the Web server's administrator. By default, the permissions are on 644. So, it allows a local user to read and decrypt the password. * Second problem: If you typed the URL: http://www.victim.com/%00/, you will see the contents of site in question. This vulnerability was directly tested on the Roxen's web site: http://www.roxen.com -- zorgon () sdf lonestar org Web Site : http://www.nightbird.fr.st
Current thread:
- Roxen Web Server Vulnerability zorgon () SDF FREESHELL ORG (Jul 21)
- Re: Roxen Web Server Vulnerability Max Vision (Jul 21)
- MDKSA-2000:023 inn update Linux Mandrake Security Team (Jul 22)