[VIM] Webmin traversal - changelog
Steven M. Christey
coley at linus.mitre.org
Tue Jul 11 16:02:14 EDT 2006
On Tue, 11 Jul 2006, George A. Theall wrote:
> > //[url]/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01
> > /..%01/[file]
> > (the "/..%01" sequence is repeated 61 times).
>
> Yes, it's *very* similar to the exploit I used when I wrote my Nessus
> plugin to test for the original flaw:
>
> http://www.nessus.org/plugins/index.php?view=viewsrc&id=21785
"*very*" is an understatement :
So now the question is, what's happening here - why is the "%01" working?
Is it getting removed entirely after the ".." check, or does the
underlying OS just ignore the 0x01 byte? If the latter, then that's a
pretty interesting feature.
- Steve
More information about the VIM
mailing list