oss-sec mailing list archives
Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability
From: Zate <zate75 () gmail com>
Date: Wed, 22 May 2013 08:35:54 -0500
I got the same results. Locally without http it shows me the local /etc/passwd and /etc/system, remotely against the reported version I get file not found with both lynx -dump and GET. Zate On Wed, May 22, 2013 at 8:31 AM, Matthias Weckbecker <mweckbecker () suse de>wrote:
On Wednesday 22 May 2013 13:44:09 Oden Eriksson wrote:onsdagen den 22 maj 2013 13.06.18 skrev Matthias Weckbecker:Hi, has anybody possibly already confirmed this? It might also be worth to assign a CVE to this if it turns out to be a reproducible issue.Confirmed here. Needed to use "lynx -dump ...".That's weird. But you've tried it *with* 'http://'? Otherwise you don't even generate a HTTP request. $ lynx -dump "127.0.0.1:/../../../etc/passwd" vs $ lynx -dump "http://127.0.0.1/../../../etc/passwd" I don't think this report is valid. Matthias -- Matthias Weckbecker, Senior Security Engineer, SUSE Security Team SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg, Germany Tel: +49-911-74053-0; http://suse.com/ SUSE LINUX Products GmbH, GF: Jeff Hawn, HRB 16746 (AG Nuernberg)
Current thread:
- Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Matthias Weckbecker (May 22)
- Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Oden Eriksson (May 22)
- Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Vitezslav Cizek (May 22)
- Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability George Theall (May 22)
- Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability The Doctor (May 22)
- Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Matthias Weckbecker (May 22)
- Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Zate (May 22)
- Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Oden Eriksson (May 22)
- Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Vitezslav Cizek (May 22)
- Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Tavis Ormandy (May 22)
- Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Oden Eriksson (May 22)