[19010] in bugtraq
Vulnerability in Picserver
daemon@ATHENA.MIT.EDU (joetesta@HUSHMAIL.COM)
Mon Feb 5 15:20:58 2001
Content-Type: multipart/mixed;
boundary="Hushpart_boundary_DPrWmTpccCYWEWHkitpwYLapHPkwUHhD"
Mime-Version: 1.0
Message-Id: <200102051742.JAA16545@user7.hushmail.com>
Date: Mon, 5 Feb 2001 12:44:59 -0800
Reply-To: joetesta@HUSHMAIL.COM
From: joetesta@HUSHMAIL.COM
To: BUGTRAQ@SECURITYFOCUS.COM
--Hushpart_boundary_DPrWmTpccCYWEWHkitpwYLapHPkwUHhD
Content-type: text/plain
Vulnerability in Picserver
Overview
Picserver is a specialized webserver available from http://www.informs.com
and http://www.zdnet.com. A vulnerability exists which allows a remote
user to break out of the web root using relative paths (ie: '..', '...').
Details
http://localhost:7000/../[file outside web root]
http://localhost:7000/.../[file outside web root]
Solution
No quick fix is possible.
Vendor Status
Information Management Specialists, Inc. was contacted via
<pcprods@informs.com> and <services@informs.com> on Monday, January 29,
2001. No reply was received.
- Joe Testa ( e-mail: joetesta@hushmail.com / AIM: LordSpankatron
)
--Hushpart_boundary_DPrWmTpccCYWEWHkitpwYLapHPkwUHhD--
IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.
