Re: [Assp-user] Its official - we are on Secunia...

Thu, 17 Aug 2006 08:27:42 -0700

Hi there,
 
 
        Not only assp.pl but the database files, an the configuration lists, etc
        I think that it should be locked at the images folder without any RE for extensions and so on.
        So you know that anything in images can be downloaded.
        In the future if more folders are needed they can be added just like the images folder.
        Regards!
 
Javier Albinarrate
 
 
----- Original Message -----
Sent: Thursday, August 17, 2006 12:01 PM
Subject: Re: [Assp-user] Its official - we are on Secunia...

Fritz Borgstedt wrote: 
An example on *nix would be the /etc/passwd file.
"http://127.0.0.1:55555/get?file=/etc/passwd"
    

Please test version 1.2.5

This looks good in terms of locking file retrieval to ASSP's base directory, but I wonder if more should be done to secure this file retrieval mechanism.  For instance, this can be done:
   http://127.0.0.1:55555/get?file=assp.pl

Is there really any need to allow file retrieval for anything beyond \.(css|gif|ico|jpg|png|txt) ?  Or perhaps it should be anything except .pl ?

I'm not complaining - I'm just thinking of how to make it less susceptible to issues in the future.

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user

Reply via email to