> > Advisory: texis(CGI) Path Disclosure Vulnerability > Application: Thunderstone's texis(CGI) > Release Date: 02.05.02 > Severity: Any user can send an invalid path to texis(CGI) > causing it to reveal the full path to the webroot. > In some cases texis will display system specific > information(OS, processor type). > Vendor Status: ThunderStone was contacted and has not responded since Jan.29.02 > I was also non related working on this problem. Another thing to add is that if you add a extention of .txt to the end of a filename it displays the file in txt format rather then html. http://hotfiles.zdnet.com/cgi-bin/texis/.txt Trying 205.181.112.68... Connected to hotfiles.zdnet.com. Escape character is '^]'. GET /cgi-bin/texis/.txt HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 06 Feb 2002 14:46:23 GMT Server: Apache/1.3.11 (Unix) Connection: close Content-Type: text/plain Figured I'd add it since i no longer need to work on this any longer. - zenoat_private
This archive was generated by hypermail 2b30 : Wed Feb 06 2002 - 10:07:33 PST