[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnump3d-users] Security: HUGE security hole
From: |
Steve Kemp |
Subject: |
Re: [Gnump3d-users] Security: HUGE security hole |
Date: |
Tue, 20 Jul 2004 21:06:15 +0100 |
User-agent: |
Mutt/1.3.28i |
On Tue, Jul 20, 2004 at 04:11:28PM -0400, Boris Kurktchiev wrote:
> Ok didn't expect this but I just finished running a nessus scan on my machine
> and it came back with one of the most infamous holes ever in gnump3d if you
> do: http://localhost:8888../../../../../../etc/passwd it displays the
> file.... thats BAD. The report also said that the server is vulnerable to jsp
> scrip execution like this:
> http://localhost:8888/<SCRIPT>alert('Vulnerable')</SCRIPT>.jsp
> but I couldn't get this to work. PLEASE fix the first hole though.
The latest version of the code is not vulnerable to this attack.
The javascript / XSS attack is irrelevent as cookies are not used
for any authentication.
Steve
--
>
>
> _______________________________________________
> Gnump3d-users mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/gnump3d-users
--
Steve
---
Edinburgh System Administrator : Linux, UNIX, Windows
Looking for an interesting job : http://www.steve.org.uk/