On 17/04/2008, at 6:09 AM, Rick Phillips wrote:
!!!! 1 possible successful probes
/long_path_to_file/../../../etc/passwd HTTP Response 200
With the environment (described above) in place, should I be
worried or
should I be confident that I have taken every precaution I can take?
I would be a little concerned if they can download /etc/passwd, they
could
download a more sensitive file. Have you tried to download passwd
yourself?
does it actually work?
What's your DocumentRoot, out of curiosity?
--
Michael Chesterton
http://chesterton.id.au/blog/
http://barrang.com.au/
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
