[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Bytehoard File Disclosure VUlnerability Sequel

To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] Bytehoard File Disclosure VUlnerability Sequel
From: Chris Sharp <illectro2001@yahoo.com>
Date: Mon, 27 Oct 2003 18:09:10 -0800 (PST)


So I'm sure this passed over your inboxes in some form
or another....
http://www.securiteam.com/unixfocus/6L00L008KE.html

Just a standard directory traversal attack in an open
source, fixed rapidly like any good open source
project. Except that nobody really looked too hard at
the software, try going to 

http://victim.com/bytehoard/files.inc.php

and you'll find the root directory of the host machine
revealsed to you, you can traverse the tree, but
downloading doesn't appear to work.

Kind of an embarressing bug to have in your software.

Just a FYI

Chris

__________________________________
Do you Yahoo!?
Exclusive Video Premiere - Britney Spears
http://launch.yahoo.com/promos/britneyspears/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: RE: [inbox] [Full-Disclosure] Is bugtraq even worth it anymore?
Next by Date: Re: [Full-Disclosure] Off topic programming thread
Previous by thread: [Full-Disclosure] Re: Deprecation
Next by thread: [Full-Disclosure] Re: Java 1.4.2_02 InsecurityManager JVM crash
Index(es):
- Date
- Thread