No Directory Traversal Vulnerability in sthttpd

["Anthony G. Basile" <basile () opensource dyc edu>]

Hi everyone,

I've gotten reports from a couple of directions now regarding Metropolis 
Hexor's directory traversal attack against thttpd 2.25b [1].  Since I'm 
maintaining sthttpd, a fork of thttpd [2], I thought I'd better let 
people know that the exploit does not affect sthttpd.  Several people 
have tried and just can't trigger it.  sthttpd has about a dozen patches 
that have accumulated over the years (one reason for the fork) and one 
of those is the fix.

Please play with the code base [3] and report problems (or better yet, 
submit patches) and I will address them issues.

I'm not on the list so please cc me.

Refs.

  [1] http://seclists.org/fulldisclosure/2013/May/106
  [2] http://opensource.dyc.edu/sthttpd
  [3] http://opensource.dyc.edu/gitweb/?p=sthttpd.git;a=summary

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/