[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] No Directory Traversal Vulnerability in sthttpd

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] No Directory Traversal Vulnerability in sthttpd
From: "Anthony G. Basile" <basile@xxxxxxxxxxxxxxxxxx>
Date: Thu, 30 May 2013 16:36:55 -0400

Hi everyone,

I've gotten reports from a couple of directions now regarding MetropolisHexor's directory traversal attack against thttpd 2.25b [1]. Since I'mmaintaining sthttpd, a fork of thttpd [2], I thought I'd better letpeople know that the exploit does not affect sthttpd. Several peoplehave tried and just can't trigger it. sthttpd has about a dozen patchesthat have accumulated over the years (one reason for the fork) and oneof those is the fix.

Please play with the code base [3] and report problems (or better yet,submit patches) and I will address them issues.


I'm not on the list so please cc me.

Refs.

  [1] http://seclists.org/fulldisclosure/2013/May/106
  [2] http://opensource.dyc.edu/sthttpd
  [3] http://opensource.dyc.edu/gitweb/?p=sthttpd.git;a=summary

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] PayPal.com XSS Vulnerability
Next by Date: [Full-disclosure] XSS in images.samsung.com
Previous by thread: [Full-disclosure] [ MDVSA-2013:171 ] gnutls
Next by thread: [Full-disclosure] XSS in images.samsung.com
Index(es):
- Date
- Thread