Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: tseekdir.cgi<--Local File Include
From: Steven M. Christey (coleymitre.org)
Date: Tue May 09 2006 - 22:08:38 CDT
>foud by: BoNy-m
Also apparently found by durito in September 2004, as identified in
the Turbo Seek product.
This is the same exploit vector as what was reported in Secunia
SA12500 and BID 11163:
and claimed by Secunia to be fixed in 1.7.2.
The use of ".." seems to be a new attack that IDS people might want to
note, but in my experience, you can't be sure whether this is
exhbiting a distinct bug from the absolute path issue that was already
mentioned (one of the fun things about path traversal in general).
However, this would require testing against 1.7.2 or later versions
(since fixes for absolute path issues might still allow ".."
P.S. to moderator - feel free to privately ask me to shut up about all
these errors, I swear I only comment on a small percentage of them :)