Sorry for not clarifying. This is another vulnerability. The patch made
DOES NOT fix this vulnerability.
The CGISecurity hole only allowed read, not execute, and the patch did not
affect the az field.
At 11:07 AM 4/17/01 +0200, Wolfgang Wiese wrote:
>Hi,
>
> > Version Tested: DCForum 2000 1.0
> > Severity: Any remote attacker may gain read/write/execute privilleges
>
>
>Isn't that the same security-leak CGISecurity (http://www.CGISecurity.com/)
>reportet Nov 2000 about?
>
>Moreover the current version of DCForum is 6.1. The security-leak was
>affecting versions 1.0 - 6.0 and was patched by DCScripts on
>March, 31. (http://www.dcscripts.com/FAQ/sec_2001_03_31.html)
>
>Ciao,
> Wolfgang
>
>
>--
>______________________________________________________________________
> Dipl. Inf. Wolfgang Wiese XWolf CGI & Webworking
> [EMAIL PROTECTED] http://www.xwolf.com
>______________________________________________________________________
> PGP-key: http://www.xwolf.com/public-key.txt
