Sorry for not clarifying. This is another vulnerability. The patch made DOES NOT fix this vulnerability. The CGISecurity hole only allowed read, not execute, and the patch did not affect the az field. At 11:07 AM 4/17/01 +0200, Wolfgang Wiese wrote: >Hi, > > > Version Tested: DCForum 2000 1.0 > > Severity: Any remote attacker may gain read/write/execute privilleges > > >Isn't that the same security-leak CGISecurity (http://www.CGISecurity.com/) >reportet Nov 2000 about? > >Moreover the current version of DCForum is 6.1. The security-leak was >affecting versions 1.0 - 6.0 and was patched by DCScripts on >March, 31. (http://www.dcscripts.com/FAQ/sec_2001_03_31.html) > >Ciao, > Wolfgang > > >-- >______________________________________________________________________ > Dipl. Inf. Wolfgang Wiese XWolf CGI & Webworking > xwolfat_private http://www.xwolf.com >______________________________________________________________________ > PGP-key: http://www.xwolf.com/public-key.txt
This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 12:55:37 PDT