Bugtraq mailing list archives
Re: Security flaw in Count.cgi (wwwcount)
From: benkovsk () PHA PVT CZ (Jaroslav Benkovsky)
Date: Mon, 13 Oct 1997 18:21:52 +0200
Razvan Dragomirescu wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, I have found a vulnerability in Muhammad A. Muquit's wwwcount version 2.3 which allows remote users to read any GIF file on the server,
... Temporary and very dirty fix is to apply something like case SHOW_GIF_FILE: { + PrintHeader(); + StringImage("Images have been disabled"); + exit(1); + if (*digit_info.gif_file == '\0') { PrintHeader(); to wwwcount2.3/main.c (stupid, but maybe it helps to somebody). Btw, counter sources are careless in many other cases. I'm sorry if this seems stupid to you Edheldil
Current thread:
- Re: Security flaw in Count.cgi (wwwcount) Jaroslav Benkovsky (Oct 13)