On 03/04/2013 09:25 AM, Jason Staburn wrote:
If you would like more information on the exploit itself, please let me
know. I have a proof of concept that is able to hit the exploit with
100% success.
I'm trying to test this patch and would love to know how you're able to
duplicate this
If you would like more information on the exploit itself, please let me
know. I have a proof of concept that is able to hit the exploit with
100% success.
Hi Eric,
I'm trying to test this patch and would love to know how you're able to
duplicate this on-demand.
Thanks,
Jason
2012/10/31 Eric Jacobs ejac...@bluehost.com:
On 10/31/2012 06:00 AM, Eric Covener wrote:
In general that is the proper form -- but this particular issue is
documented as a limitation:
Omitting this option should not be considered a security restriction,
since symlink testing is subject to
Le 31/10/2012 05:46, Eric Jacobs a écrit :
There is a race condition vulnerability in httpd 2.2.23 (also present
in previous releases) that allows a malicious user to serve arbitrary
files from nearly anywhere on a server that isn't protected by strict
os level permissions. In a shared hosting
On 31 Oct 2012, at 6:46 AM, Eric Jacobs ejac...@bluehost.com wrote:
There is a race condition vulnerability in httpd 2.2.23 (also present in
previous releases) that allows a malicious user to serve arbitrary files from
nearly anywhere on a server that isn't protected by strict os level
On Wed, Oct 31, 2012 at 7:31 AM, Graham Leggett minf...@sharp.fm wrote:
On 31 Oct 2012, at 6:46 AM, Eric Jacobs ejac...@bluehost.com wrote:
There is a race condition vulnerability in httpd 2.2.23 (also present in
previous releases) that allows a malicious user to serve arbitrary files
from
On 10/31/2012 06:00 AM, Eric Covener wrote:
In general that is the proper form -- but this particular issue is
documented as a limitation:
Omitting this option should not be considered a security restriction,
since symlink testing is subject to race conditions that make it
circumventable.
On Wed, Oct 31, 2012 at 3:36 PM, Eric Jacobs ejac...@bluehost.com wrote:
On 10/31/2012 06:00 AM, Eric Covener wrote:
In general that is the proper form -- but this particular issue is
documented as a limitation:
Omitting this option should not be considered a security restriction,
since
There is a race condition vulnerability in httpd 2.2.23 (also present in
previous releases) that allows a malicious user to serve arbitrary files
from nearly anywhere on a server that isn't protected by strict os level
permissions. In a shared hosting environment, this is a big vulnerability.