oss-sec mailing list archives
Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability
From: George Theall <gtheall () tenable com>
Date: Wed, 22 May 2013 13:38:32 +0000
On May 22, 2013, at 9:29 AM, Vitezslav Cizek <civ () blema cz> wrote:
* Dne Středa 22. květen 2013, 13:44:09 [CEST] Oden Eriksson napsal:onsdagen den 22 maj 2013 13.06.18 skrev Matthias Weckbecker:Hi, has anybody possibly already confirmed this? It might also be worth to assign a CVE to this if it turns out to be a reproducible issue.Confirmed here. Needed to use "lynx -dump ...".Are you sure? I fail to reproducet the problem.
This seems like a configuration issue rather than a vulnerability. The code in libhttpd.c seems to filter directory traversal sequences. And I was able to reproduce this only if thttpd was serving files out of the system root directory (e.g., "thttpd -d /"), in which case the directory traversal sequences are irrelevant. George -- theall () tenable com
Current thread:
- Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Matthias Weckbecker (May 22)
- Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Oden Eriksson (May 22)
- Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Vitezslav Cizek (May 22)
- Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability George Theall (May 22)
- Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability The Doctor (May 22)
- Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Matthias Weckbecker (May 22)
- Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Zate (May 22)
- Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Oden Eriksson (May 22)
- Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Vitezslav Cizek (May 22)
- Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Tavis Ormandy (May 22)
- Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Oden Eriksson (May 22)