Full Disclosure mailing list archives
Re: Vulnerability in sourceforge.net
From: nicolas vigier <boklm () mars-attacks org>
Date: Wed, 21 Jul 2004 17:12:05 +0200
On Wed, 21 Jul 2004, Todd Towles wrote:
I don't think it is big either, but I don't have an account on soundforge.net - therefore I was unaware of limited access this would give you. But if they need to correct it, then it is a small vulnerability (mis-configuration or whatever).
It's not a mis-configuration, this does not allow you to look at any secret file, only the files that the user nobody can read.
<rant> Directory Traversals are pretty public are one of the vulnerabilities that should teach people to lock down the services on exposed servers. Why should your SQL or Web server run as SYSTEM (or root) when it works fine in a more limited user? Why take the chance. </rant>
On sourceforge it's running as "nobody" (it would be a little better if they created an account for that). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Vulnerability in sourceforge.net Alexander (Jul 21)
- Re: Vulnerability in sourceforge.net nicolas vigier (Jul 21)
- RE: Vulnerability in sourceforge.net Todd Towles (Jul 21)
- Re: Vulnerability in sourceforge.net nicolas vigier (Jul 21)
- RE: Vulnerability in sourceforge.net Todd Towles (Jul 21)
- Message not available
- Re: Vulnerability in sourceforge.net nicolas vigier (Jul 21)
- Re: Vulnerability in sourceforge.net Buick Sk (Jul 21)
- RE: Vulnerability in sourceforge.net Todd Towles (Jul 21)
- Re: Vulnerability in sourceforge.net nicolas vigier (Jul 21)
- <Possible follow-ups>
- RE: Vulnerability in sourceforge.net Andrew Poodle (Jul 21)
- Re: Vulnerability in sourceforge.net Dan Duplito (Jul 21)
- RE: Vulnerability in sourceforge.net Todd Towles (Jul 22)
- Re: Vulnerability in sourceforge.net Gregory A. Gilliss (Jul 22)
- Re: Vulnerability in sourceforge.net Jedi/Sector One (Jul 22)
- RE: Vulnerability in sourceforge.net Todd Towles (Jul 22)
- Re: Vulnerability in sourceforge.net Anders B Jansson (Jul 22)
- Re: Vulnerability in sourceforge.net steve menard (Jul 22)
- Re: Vulnerability in sourceforge.net a (Jul 22)
- RE: Vulnerability in sourceforge.net Todd Towles (Jul 22)