Vulnerability Development mailing list archives
Re: texis(CGI) Path Disclosure Vulnerability
From: zeno <bugtraq () cgisecurity net>
Date: Wed, 6 Feb 2002 09:34:18 -0500 (EST)
Advisory: texis(CGI) Path Disclosure Vulnerability Application: Thunderstone's texis(CGI) Release Date: 02.05.02 Severity: Any user can send an invalid path to texis(CGI) causing it to reveal the full path to the webroot. In some cases texis will display system specific information(OS, processor type). Vendor Status: ThunderStone was contacted and has not responded since Jan.29.02
I was also non related working on this problem. Another thing to add is that if you add a extention of .txt to the end of a filename it displays the file in txt format rather then html. http://hotfiles.zdnet.com/cgi-bin/texis/.txt Trying 205.181.112.68... Connected to hotfiles.zdnet.com. Escape character is '^]'. GET /cgi-bin/texis/.txt HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 06 Feb 2002 14:46:23 GMT Server: Apache/1.3.11 (Unix) Connection: close Content-Type: text/plain Figured I'd add it since i no longer need to work on this any longer. - zeno () cgisecurity com
Current thread:
- texis(CGI) Path Disclosure Vulnerability - phinegeek - (Feb 05)
- <Possible follow-ups>
- Re: texis(CGI) Path Disclosure Vulnerability zeno (Feb 06)
- Re: texis(CGI) Path Disclosure Vulnerability mark-bugtraq (Feb 11)