New hole in W3Mail

[Tim Brown <netsys () machine org uk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

The attached advisory supercedes my previous effort regarding W3Mail
(NDSA20020719).  It seems that in fixing the original holes, CascadeSoft
introduced a new one.

Their fix for the original hole was as I suggested, to move the MIME
attachments data from the web server document root.  Unfortunately, the
script they wrote to allow users to access the attachment, does no
checking about the validity of the file argument, allowing you to request
any file that is readable by the web server user.

The vendor has been notified, but since they never bothered to
acknowledge our contact last time, we're expecting no official response.
Hopefully this time they will be able to correct the bug in less than 4
months.

Cheers,
Tim
- -- 
Tim Brown
<mailto:netsys () machine org uk>
<http://www.machine.org.uk/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (SunOS)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE90YQ4VAlO5exu9x8RAo4mAKCuBRYpvxUhihxv4CWNI+NdeRQkBQCgxcYw
wz1IdqY3MvAcCJRBMCv5e68=
=1Mw4
-----END PGP SIGNATURE-----

Attachment: NDSA20021112.txt.asc
Description: