On Tue, Jul 17, 2001 at 12:48:12PM +0200, Khamba Staring wrote:
>
> 1. uncgi does no relative directory checking; this means anyone can
> execute any program on the remote system as the http user (to some
> extent, permission wise of course) using the simple dot-dot-slash trick.
Can you provide the exploit code please ? I was not able to reproduce
the problem. I've tried with things like ../ and %2E%2E%2F but neither
worked, at least with Apache. All I get is the usual '404 Not Found' message.
cheers,
carlo
--
Per visualizzare il messaggio correttamente impostare il font Courier.
To display the message correctly please set the Courier font.
