OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: neme-dhcHUSHMAIL.COM
Date: Tue Apr 24 2001 - 08:14:55 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

     [ Advisory for Perl Web Server ]
     [ Site: http://perlwebserver.sourceforge.net ]
     [ by nemesystm of the DHC ]
     [ (http://dhcorp.cjb.net - neme-dhchushmail.com) ]
     [ ADV-0113 ]

    /-|=[explanation]=|-\
    Perl Web Server has a simple dot dot bug bug.

    /-|=[who is vulnerable]=|-\
    Tested to be vulnerable to the hex-encoded dot dot
    bug are:
    Perl Web Server v0.3
    All older versions are assumed to be vulnerable as
    well.

    /-|=[testing it]=|-\
    To test this vulnerability, try the following.
    www.server.com/../../../../etc/passwd
    add ..'s to reflect the location of /etc/passwd in
    comparison to Perl Web Server.
    www.server.com/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
    works as well.
    %2e is nothing but a hex-encoded dot.

    /-|=[fix]=|-\
    Not known at the moment.
    Free, encrypted, secure Web-based email at www.hushmail.com