6 May
2011
6 May
'11
6:09 a.m.
Hi Jeremy
On 06-05-2011 05:21, Jeremy Laidman wrote:
Peoples
I've discovered a directory traversal vulnerability in the svcstatus.c file, allowing a remote attacker to view any file on the filesystem that's visible to the web server user. When viewing a specific historical entry, and then setting the parameter for TIMEBUF to "../../../..(etc)/path/to/file" you get to view the file.
Definitely not a good feature to have.
Fixed in version 4.3.3 which should be available from Sourceforge now. There were a couple of other places which could potentially have the same type of issue - I've fixed those as well.
4.3.3 also fixes a couple more cross-site scripting vulnerabilities, and has the "normal" bugfixes that have accumulated.
Regards, Henrik