On Tue, Jul 17, 2001 at 12:48:12PM +0200, Khamba Staring wrote: > > 1. uncgi does no relative directory checking; this means anyone can > execute any program on the remote system as the http user (to some > extent, permission wise of course) using the simple dot-dot-slash trick. Can you provide the exploit code please ? I was not able to reproduce the problem. I've tried with things like ../ and %2E%2E%2F but neither worked, at least with Apache. All I get is the usual '404 Not Found' message. cheers, carlo -- Per visualizzare il messaggio correttamente impostare il font Courier. To display the message correctly please set the Courier font.
This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 07:41:29 PDT