Steve, I just had a look at your patch and it seems to me that you just filter out the remote command execution and not the file disclosure in Twiki. http://security.debian.org/pool/updates/main/t/twiki/twiki_4.0.5-9.1etch1.diff.gz
The configure file is patched with this if ( $image =~ /^([-.\w]+)$/ ) { $image = $1; } You are basically allowing the ../../../ which can be used for ../../../etc/passwd In terms of example, what you have done is filter out /bin/configure?action=image;image=|ls%20-l|;type=text/plain and not /bin/configure?action=image;image=|../../../../../../etc/passwd|;type=text/plain Regards, webDEViL
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/