Full Disclosure mailing list archives
Re: [SECURITY] [DSA 1639-1] New twiki packages execution of arbitrary code
From: "webby devil" <w3bd3vil () gmail com>
Date: Sun, 21 Sep 2008 14:01:36 +0530
Steve, I just had a look at your patch and it seems to me that you just filter out the remote command execution and not the file disclosure in Twiki. http://security.debian.org/pool/updates/main/t/twiki/twiki_4.0.5-9.1etch1.diff.gz The configure file is patched with this if ( $image =~ /^([-.\w]+)$/ ) { $image = $1; } You are basically allowing the ../../../ which can be used for ../../../etc/passwd In terms of example, what you have done is filter out /bin/configure?action=image;image=|ls%20-l|;type=text/plain and not /bin/configure?action=image;image=|../../../../../../etc/passwd|;type=text/plain Regards, webDEViL
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [SECURITY] [DSA 1639-1] New twiki packages execution of arbitrary code Steve Kemp (Sep 19)
- <Possible follow-ups>
- Re: [SECURITY] [DSA 1639-1] New twiki packages execution of arbitrary code webby devil (Sep 21)