Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Franklin DeMatto (franklinQDEFENSE.COM)
Date: Tue Apr 17 2001 - 09:20:09 CDT
Sorry for not clarifying. This is another vulnerability. The patch made
DOES NOT fix this vulnerability.
The CGISecurity hole only allowed read, not execute, and the patch did not
affect the az field.
At 11:07 AM 4/17/01 +0200, Wolfgang Wiese wrote:
> > Version Tested: DCForum 2000 1.0
> > Severity: Any remote attacker may gain read/write/execute privilleges
>Isn't that the same security-leak CGISecurity (http://www.CGISecurity.com/)
>reportet Nov 2000 about?
>Moreover the current version of DCForum is 6.1. The security-leak was
>affecting versions 1.0 - 6.0 and was patched by DCScripts on
>March, 31. (http://www.dcscripts.com/FAQ/sec_2001_03_31.html)
> Dipl. Inf. Wolfgang Wiese XWolf CGI & Webworking
> xwolfxwolf.com http://www.xwolf.com
> PGP-key: http://www.xwolf.com/public-key.txt