[210] in linux-security and linux-alert archive
HTTPD bug
daemon@ATHENA.MIT.EDU (Mr Pink)
Sun Apr 16 05:37:51 1995
From: Mr Pink <vince@dallas.demon.co.uk>
To: linux-security@tarsier.cv.nrao.edu
Date: Sun, 16 Apr 1995 00:46:20 +0000 (GMT)
In-Reply-To: <m0s0AVJ-000KjaC@monad.swb.de> from "Olaf Kirch" at Apr 15, 95 06:15:25 pm
Hello all,
i was browsing thru alt.2600, as you do, and spotted something of interest
it appears there is a problem with the CERN httpd.
It allows you to create a directory in a users home dir that can be
accessed via mosaic/netscape. well the bad bit of news is, if you sym link
this dir to root (/), file ownership becomes non existent.
i was easily able to read the shadow passwd file!
--
"Why should i be frightened of dying? Theres no reason for it.
You've got to go sometime." - TGGITS
