OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: neme-dhcHUSHMAIL.COM
Date: Mon May 07 2001 - 19:32:44 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

     [ Advisory for MP3Mystic ]
     [ MP3Mystic is made by mp3mystic.com ]
     [ Site: http://www.mp3mystic.com ]
     [ by nemesystm of the DHC ]
     [ (http://dhcorp.cjb.net - neme-dhchushmail.com) ]
     [ ADV-0117 ]

    /-|=[explanation]=|-\
    MP3Mystic is a webserver that lets a visitor browse
    your harddrive only showing MP3 files. It is
    vulnerable to the dot dot bug.

    /-|=[who is vulnerable]=|-\
    MP3Mystic 1.01
    MP3Mystic 1.03
    MP3Mystic 1.04
    are vulnerable.
    version 1.0 is assumed to be vulnerable as well.

    /-|=[testing it]=|-\
    By requesting
    www.server.com/../scandisk.log
    one can retrieve scandisk.log. Add ../'s to adjust
    the amount of directories that have to be moved
    down in.

    /-|=[fix]=|-\
    Download MP3Mystic 1.04b3. This will fix the bug.
    Free, encrypted, secure Web-based email at www.hushmail.com