Previous articleBack to news listNext article
|
Sponsored links |
Want to become one of our authors and see your work published on ALLSeek.iNFO ?
|
| sbox May Disclose Installation Path and User Account Paths to Remote Users |
|---|
Categorie: Vulnerability
Posted: 2003-09-29 by ReCall
Views: 421
Source: Click here
| Current Rating: Not rated
|
|
| Details |
|---|
Description: A vulnerability was reported in 'sbox'. A remote user can determine the installation path and the path to various user cgi scripts.
EightOne Research Facility reported that a remote user can submit an HTTP query for a '/cgi-bin' script that does not exist to cause the server to display the installation path. A demonstration exploit URL is provided:
http://[target]/cgi-bin/non-existent.pl
Because sbox is used to allow a less-privileged user to host a cgi script in the user's own directory (but still be executed via the web server), the path that is disclosed may contain the user's account name (e.g., "/home/[username]/cgi-bin/non-existent.pl").
The vendor has reportedly been notified.
Impact: A remote user can determine the installation path. A remote user may also be able to determine the user account name of users that host cgi scripts on the target server.
Solution: No solution was available at the time of this entry.
|
| Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=483
|
| User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
|
Previous articleBack to news listNext article
|
