Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 22 May 2013 12:50:18 -0400
From: The Doctor <drwho@...tadpt.net>
To: oss-security@...ts.openwall.com
Subject: Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory
 Traversal Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/22/2013 09:29 AM, Vitezslav Cizek wrote:

> Are you sure? I fail to reproducet the problem.
> 
> How do you use lynx? Do you prepend "http://" to the url? Otherwise
> lynx won't connect over network and will default to local
> filesystem.
> 
> For example: $ lynx -dump "google.com:80/../../../../etc/passwd" 
> wil get you you're local /etc/passwd

For what it's worth, I'm getting the same results with the same
version of thttpd.

$ lynx -dump drwho.virtadpt.net:80/../../../../../../../../etc/passwd
root:*:0:0:Charlie &:/root:/bin/ksh
daemon:*:1:1:The devil himself:/root:/sbin/nologin
operator:*:2:5:System &:/operator:/sbin/nologin
bin:*:3:7:Binaries Commands and Source,,,:/:/sbin/nologin
smmsp:*:25:25:Sendmail Message Submission
Program:/nonexistent:/sbin/nologin
popa3d:*:26:26:POP3 Server:/var/empty:/sbin/nologin
sshd:*:27:27:sshd privsep:/var/empty:/sbin/nologin
...blah blah blah...

versus:

$ lynx -dump
http://drwho.virtadpt.net:80/../../../../../../../../etc/passwd

                                  Bad Request

   Your browser sent a request that this server could not understand.

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

"Am I missing an eyebrow?"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGc90oACgkQO9j/K4B7F8GgcQCgrgdV2puuyGh7P3t8tIaqRIXx
xHQAoNRvkLreR5OOFukhEsiUFLtUy/V3
=n8K3
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.