[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] No Directory Traversal Vulnerability in sthttpd
From:       "Anthony G. Basile" <basile () opensource ! dyc ! edu>
Date:       2013-05-30 20:36:55
Message-ID: 51A7B867.5080800 () opensource ! dyc ! edu
[Download RAW message or body]

Hi everyone,

I've gotten reports from a couple of directions now regarding Metropolis 
Hexor's directory traversal attack against thttpd 2.25b [1].  Since I'm 
maintaining sthttpd, a fork of thttpd [2], I thought I'd better let 
people know that the exploit does not affect sthttpd.  Several people 
have tried and just can't trigger it.  sthttpd has about a dozen patches 
that have accumulated over the years (one reason for the fork) and one 
of those is the fix.

Please play with the code base [3] and report problems (or better yet, 
submit patches) and I will address them issues.

I'm not on the list so please cc me.

Refs.

   [1] http://seclists.org/fulldisclosure/2013/May/106
   [2] http://opensource.dyc.edu/sthttpd
   [3] http://opensource.dyc.edu/gitweb/?p=sthttpd.git;a=summary

-- 
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]