Full Disclosure mailing list archives

Bytehoard File Disclosure VUlnerability Sequel

From: Chris Sharp <illectro2001 () yahoo com>
Date: Mon, 27 Oct 2003 18:09:10 -0800 (PST)



So I'm sure this passed over your inboxes in some form
or another....
http://www.securiteam.com/unixfocus/6L00L008KE.html

Just a standard directory traversal attack in an open
source, fixed rapidly like any good open source
project. Except that nobody really looked too hard at
the software, try going to 

http://victim.com/bytehoard/files.inc.php

and you'll find the root directory of the host machine
revealsed to you, you can traverse the tree, but
downloading doesn't appear to work.

Kind of an embarressing bug to have in your software.

Just a FYI

Chris

__________________________________
Do you Yahoo!?
Exclusive Video Premiere - Britney Spears
http://launch.yahoo.com/promos/britneyspears/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Bytehoard File Disclosure VUlnerability Sequel Chris Sharp (Oct 27)