Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: [SECURITY] [DSA 1639-1] New twiki packages execution of arbitrary code
From: "webby devil" <w3bd3vil () gmail com>
Date: Sun, 21 Sep 2008 14:01:36 +0530


I just had a look at your patch and it seems to me that you just filter out
the remote command execution and not the file disclosure in Twiki.

The configure file is patched with this
   if ( $image =~ /^([-.\w]+)$/ ) {
        $image = $1;
You are basically allowing the ../../../ which can be used for

In terms of example, what you have done is filter out
and not

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]