Perception LiteServe MS-DOS filename vulnerability

From: Wizdumb (wizdumbat_private)
Date: Mon Jun 25 2001 - 00:30:20 PDT

Next message: Alun Jones: "Re: SurgeFTP vulnerabilities"

Previous message: SDL Office: "Fw: Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Perception LiteServe <http://www.cmfperception.com/liteserve.html> is a
Web, FTP and e-Mail server for Win*. When GET requests are made to
LiteServe's webserver with the name of the cgi-bin directory as a MS-DOS
directory name (eg.  cgi-shizznitch=CGI-SH~1 and cgi-bin=CGI-BIN),
LiteServe will read the script instead of executing it.

The vendor has been informed, and a fixed version (v1.28) is now available
on Perception's website. Thanks to Chris Fillion for his prompt response.

Cheers,
Andrew Lewis
---
wizdumbat_private
http://www.mdma.za.net/fk

Next message: Alun Jones: "Re: SurgeFTP vulnerabilities"
Previous message: SDL Office: "Fw: Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 25 2001 - 08:33:43 PDT