On Wed, 21 Jul 2004, Todd Towles wrote: > I don't think it is big either, but I don't have an account on > soundforge.net - therefore I was unaware of limited access this would give > you. But if they need to correct it, then it is a small vulnerability > (mis-configuration or whatever).
It's not a mis-configuration, this does not allow you to look at any secret file, only the files that the user nobody can read. > <rant> Directory Traversals are pretty public are one of the vulnerabilities > that should teach people to lock down the services on exposed servers. Why > should your SQL or Web server run as SYSTEM (or root) when it works fine in > a more limited user? Why take the chance. </rant> On sourceforge it's running as "nobody" (it would be a little better if they created an account for that). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
