'Re: [oss-security] Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability
From:       Oden Eriksson <oeriksson () mandriva ! com>
Date:       2013-05-22 20:49:19
Message-ID: 4002262.qqzJ9NiA05 () oe ! nux ! tld
[Download RAW message or body]

onsdagen den 22 maj 2013 15.31.44 skrev  Matthias Weckbecker:
> On Wednesday 22 May 2013 13:44:09 Oden Eriksson wrote:
> > onsdagen den 22 maj 2013 13.06.18 skrev  Matthias Weckbecker:
> > > Hi,
> > > 
> > > has anybody possibly already confirmed this? It might also be worth
> > > to assign a CVE to this if it turns out to be a reproducible issue.
> > 
> > Confirmed here. Needed to use "lynx -dump ...".
> 
> That's weird. But you've tried it *with* 'http://'? Otherwise you
> don't even generate a HTTP request.
> 
> $ lynx -dump "127.0.0.1:/../../../etc/passwd"
> vs
> $ lynx -dump "http://127.0.0.1/../../../etc/passwd"
> 
> I don't think this report is valid.
> 
> Matthias

Whoops. You're right.
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic