OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: joetestaHUSHMAIL.COM
Date: Sun Feb 04 2001 - 13:43:07 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Vulnerability in SEDUM HTTP Server

        Overview

    SEDUM HTTP Server v2.0 is a web server available from
    http://www.frassetto.it and http://www.zdnet.com. A vulnerability exists
    which allows a remote user to break out of the web root using relative
    paths (ie: '..', '...').

        Details

            http://localhost/../[file outside web root]
            http://localhost/.../[file outside web root]

        Solution

    No quick fix is possible.

        Vendor Status

        The author, Guido Frassetto, was contacted via <guidofrassetto.it>
    and <guidoftin.it> on Sunday, January 28, 2001 regarding version 1.1 of
    SEDUM. He replied promptly and stated that version 2.0 is immune to this
    problem. I downloaded the new version, ran more tests, and found that
    absolutely nothing is different. Since then, I have not heard back from
    Guido Frassetto.

            - Joe Testa ( joetestahushmail.com )

    IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages.
    Get your FREE, totally secure email address at http://www.hushmail.com.