[11765] in bugtraq
[Sybase] software vendors do not think about old bugs
daemon@ATHENA.MIT.EDU (Domas Mituzas)
Thu Sep 9 02:20:34 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.4.05.9909041428230.5675-100000@mx.nkm.lt>
Date: Sat, 4 Sep 1999 14:37:01 +0200
Reply-To: Domas Mituzas <midom@DAMMIT.LT>
From: Domas Mituzas <midom@DAMMIT.LT>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Hello all,
recently I found, that Sybase PowerDynamo personal web server knows how to
handle ../../ queries. I could see the whole disk via web browser :-) This
was found on a rather new release (3.0.0.652) of PD personal web server,
that is included into Enterprise Aplication studio and together with
PowerDynamo in other boxes. This "feature" works both with static and
dynamic file sites (I didn't check database site).
Of course, as it is "personal" web server, such features may be left. But
as the same bugs were in MS and other servers, it is a thing we should
concern - why do software vendors not look at old bugs of other products,
so they could avoid theirs?
With respect,
Domas Mituzas
