Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Vulnerability in sourceforge.net
From: "Todd Towles" <toddtowles () brookshires com>
Date: Thu, 22 Jul 2004 07:49:53 -0500

Sounds like they should have configured that page a bit different...made it
run under a little less access...or said I say..it is a mis-configuration.
=)

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Dan Duplito
Sent: Wednesday, July 21, 2004 6:37 PM
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Vulnerability in sourceforge.net

nicolas vigier <boklm () mars-attacks org> wrote:

It's not a mis-configuration, this does not allow you to look at any
secret file, only the files that the user nobody can read.

well, user "nobody" has shell access (/bin/sh) and is allowed read access to
/etc/passwd file and probably other system files as well.

i'm wondering if the discoverer (Alexander) already informed the authors of
the app...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault