Bugs item #3288397, was opened at 2011-04-17 11:46 Message generated for change (Tracker Item Submitted) made by rutsky You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=466456&aid=3288397&group_id=52322
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: Yes Submitted By: Vladimir Rutsky (rutsky) Assigned to: Nobody/Anonymous (nobody) Summary: SECURITY: Include vulnerability in web site Initial Comment: /htdocs/index.php don't sanitize input GET arguments which can lead to exploitation of include vulnerability (http://en.wikipedia.org/wiki/Include_vulnerability). For example going by this link: http://vim-latex.sourceforge.net/index.php?subject=../../newsexample/htdocs/include-vuln Will include script from another project http://newsexample.sourceforge.net/include-vuln.inc and run it's contents under vim-latex project "user". According to SourceForge web filesystem documentation (https://sourceforge.net/apps/trac/sourceforge/wiki/Project%20Web%20Filesystem%20Permissions) this can lead to overwriting of vim-latex web site files, and potential hacker can gain control over vim-latex project web site. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=466456&aid=3288397&group_id=52322 ------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev _______________________________________________ Vim-latex-devel mailing list Vim-latex-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/vim-latex-devel
