Advisory for perl webserver

From: neme-dhcat_private
Date: Tue Apr 24 2001 - 06:14:55 PDT

Next message: neme-dhcat_private: "Advisory for Netcruiser"

Previous message: David J. Cavuto: "Re: Lucent security contact"
Next in thread: NESTING, DAVID M (SBCSI): "Re: Advisory for perl webserver"
Reply: NESTING, DAVID M (SBCSI): "Re: Advisory for perl webserver"
Reply: neme-dhcat_private: "Re: Advisory for perl webserver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 [ Advisory for Perl Web Server                    ]
 [ Site: http://perlwebserver.sourceforge.net      ]
 [ by nemesystm of the DHC                         ]
 [ (http://dhcorp.cjb.net - neme-dhcat_private) ]
 [ ADV-0113                                        ]

/-|=[explanation]=|-\
Perl Web Server has a simple dot dot bug bug.

/-|=[who is vulnerable]=|-\
Tested to be vulnerable to the hex-encoded dot dot
bug are:
Perl Web Server v0.3
All older versions are assumed to be vulnerable as
well.

/-|=[testing it]=|-\
To test this vulnerability, try the following.
www.server.com/../../../../etc/passwd
add ..'s to reflect the location of /etc/passwd in
comparison to Perl Web Server.
www.server.com/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
works as well.
%2e is nothing but a hex-encoded dot.

/-|=[fix]=|-\
Not known at the moment.
Free, encrypted, secure Web-based email at www.hushmail.com

Next message: neme-dhcat_private: "Advisory for Netcruiser"
Previous message: David J. Cavuto: "Re: Lucent security contact"
Next in thread: NESTING, DAVID M (SBCSI): "Re: Advisory for perl webserver"
Reply: NESTING, DAVID M (SBCSI): "Re: Advisory for perl webserver"
Reply: neme-dhcat_private: "Re: Advisory for perl webserver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 24 2001 - 15:05:10 PDT