Bugtraq mailing list archives
Re: FW: [Alert] Website's uploader.exe (from demo) vulnerable
From: davem () ISS NET (David J. Meltzer)
Date: Fri, 5 Sep 1997 17:30:33 -0400
O'reilly's webserver 'website' contains a demopackage that contains the cgi-program uploader.exe. The program uploader.exe doesn't check anything at all.....This hole did exist prior to the July 1996 revision of uploader.bas, when I added a security fix. The fix has been available since that time at http://software.ora.com/techsupport/software/updates.html The revised uploader was also included in WebSite 1.1g
FYI-
The current WebSite Professional 2.0 Beta is vulnerable to the
uploader.exe problem. Of course being beta code it is expected
to have bugs but just want to be sure you are aware so it gets
fixed before 2.0 hits a release.
-Dave
--------------------------------+---------------------
David J. Meltzer | Email: davem () iss net
Systems Engineer | Web: www.iss.net
Internet Security Systems, Inc. | Fax: (770)395-1972
Current thread:
- Re: FW: [Alert] Website's uploader.exe (from demo) vulnerable Aleph One (Sep 05)
- promisc.c,v null: test devices for sniffers and device moniters. blind (Sep 03)
- Re: FW: [Alert] Website's uploader.exe (from demo) vulnerable David J. Meltzer (Sep 05)
- procfs take II Brian Mitchell (Sep 05)
- Security hole in Linux TCP stack (2.1.53 and all the rest) Superuser (Sep 07)
- sleath port scanning fix Superuser (Sep 07)
- DOS vulnerability in Livingston portmasters (pre 3.7) Dave Andersen (Sep 07)
- Re: sleath port scanning fix Darren Reed (Sep 08)
- Re: sleath port scanning fix Thamer Al-Herbish (Sep 08)