Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Vulnerability in sourceforge.net

From: "Todd Towles" <toddtowles () brookshires com>
Date: Thu, 22 Jul 2004 07:49:53 -0500
Sounds like they should have configured that page a bit different...made it
run under a little less access...or said I say..it is a mis-configuration.
=)

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Dan Duplito
Sent: Wednesday, July 21, 2004 6:37 PM
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Vulnerability in sourceforge.net


nicolas vigier <boklm () mars-attacks org> wrote:

It's not a mis-configuration, this does not allow you to look at any
secret file, only the files that the user nobody can read.


well, user "nobody" has shell access (/bin/sh) and is allowed read access to
/etc/passwd file and probably other system files as well.

i'm wondering if the discoverer (Alexander) already informed the authors of
the app...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: