[pLog-svn] [Lifetype Vulnerability] Very Serious File Disclosure Problem (read passwords/config whatever you want)
Oscar Renalias
oscar at renalias.net
Wed Feb 14 03:09:14 EST 2007
I remember playing with this back in a day, but I didn't know about
the "%00" trick so I didn't get very far with my attempts. Guess
we'll be more careful in the future.
Thanks for reporting it.
On 13 Feb 2007, at 23:31, Matt Wood wrote:
> Dev List,
>
> There exists a very serious file disclosure vulnerability within
> the RSS engines that allows anyone to read the contents of files
> considered to be secure.
>
> I highly suggest that everyone turn off all RSS off at the moment.
>
> I also suppose you will want to let other people know, I don't
> really have the time to mess with the forums warning people.
>
> Oscar / Jon, I will contact you separately later tonight as this
> vulnerability compromises www.lifetype.net... and I don't really
> want our new server to get hosed.
>
> -Matt
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
More information about the pLog-svn
mailing list