[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Cobalt Cube Webmail directory traversal (fwd)
- Subject: Re: [cobalt-security] Cobalt Cube Webmail directory traversal (fwd)
- From: shimi <shimi@xxxxxxxxxxxxxxxx>
- Date: Fri, 6 Jul 2001 06:38:51 -0700 (PDT)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Fri, 6 Jul 2001, Mark Anderson wrote:
> > I'm always shocked to see the amount of programs that doesn't check this
> > very obvious thing (in microsoft's case, even the webserver itself!!!)
> > I don't see why the webserver should even UNDERSTAND what ".." is (in a
> > url, that is).
> Just a technical note - its not the webserver software which interprets the
> ".." its the under-lying operating system. The sofware has to be written to
> specifically ignore certain paths such as ".."
>
> Mark.
>
>
It depends... if you wrote your functions or not... like the glob() bug,
some systems had ftp that had globbing written as a self function, while
not using the OSs defaults, and those were invulnerable to the bugs (of
exhausting CPU cycles and RAM)...
remember?
And in any case I am still correct... if a webserver has a server root, in
no case the webserver shall send out a page on a directory upper than it's
server root. That's only my opinion, though... (chroot was made for
limiting software to the exact same thing)
- shimi.