[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] Vulnerability in sourceforge.net
- To: "'Dan Duplito'" <danduplito@xxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: RE: [Full-Disclosure] Vulnerability in sourceforge.net
- From: "Todd Towles" <toddtowles@xxxxxxxxxxxxxxx>
- Date: Thu, 22 Jul 2004 07:49:53 -0500
Sounds like they should have configured that page a bit different...made it
run under a little less access...or said I say..it is a mis-configuration.
=)
-----Original Message-----
From: full-disclosure-admin@xxxxxxxxxxxxxxxx
[mailto:full-disclosure-admin@xxxxxxxxxxxxxxxx] On Behalf Of Dan Duplito
Sent: Wednesday, July 21, 2004 6:37 PM
To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Vulnerability in sourceforge.net
> nicolas vigier <boklm@xxxxxxxxxxxxxxxx> wrote:
>
> It's not a mis-configuration, this does not allow you to look at any
> secret file, only the files that the user nobody can read.
well, user "nobody" has shell access (/bin/sh) and is allowed read access to
/etc/passwd file and probably other system files as well.
i'm wondering if the discoverer (Alexander) already informed the authors of
the app...
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html