[5261] in bugtraq
Re: FW: [Alert] Website's uploader.exe (from demo) vulnerable
daemon@ATHENA.MIT.EDU (David J. Meltzer)
Fri Sep 5 18:45:56 1997
Date: Fri, 5 Sep 1997 17:30:33 -0400
Reply-To: "David J. Meltzer" <davem@ISS.NET>
From: "David J. Meltzer" <davem@ISS.NET>
X-To: markb@ora.com
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.SUN.3.94.970905160241.17432A-100000@dfw.dfw.net>
> >O'reilly's webserver 'website' contains a demopackage that contains
> >the cgi-program uploader.exe.
> >The program uploader.exe doesn't check anything at all.....
>
> This hole did exist prior to the July 1996 revision of uploader.bas,
> when I added a security fix.
> The fix has been available since that time at
> http://software.ora.com/techsupport/software/updates.html
> The revised uploader was also included in WebSite 1.1g
FYI-
The current WebSite Professional 2.0 Beta is vulnerable to the
uploader.exe problem. Of course being beta code it is expected
to have bugs but just want to be sure you are aware so it gets
fixed before 2.0 hits a release.
-Dave
--------------------------------+---------------------
David J. Meltzer | Email: davem@iss.net
Systems Engineer | Web: www.iss.net
Internet Security Systems, Inc. | Fax: (770)395-1972
