|
-----BEGIN PGP SIGNED MESSAGE----- ################################################################ # _____ __ __ ___ # # ........\ \.| |.| |/ \........ # # : / \| | | | __> : # # : / _ \ |_| | / __ : # # : / / \ | <_/ \ : # # :..../ _/ / _ | ` \....: # # : \_________/__| |__|_______/ : # # : Damage Hacking Group : # # : Security Advisory : # # :.............................: # # # # http://www.dhgroup.org # #b d# ##b,________________________________________________________.d## | | Product: Tornado www-server v1.2 Authors: www.softrex.com/tornado/ | Vulnerability: multiple bugs | #--------------------------------------------------------------# | Overview: | ~~~~~~~~~ Another one http server | | #--------------------------------------------------------------# | Problem: | ~~~~~~~~ This server is one BiG problem. IMHO is most dangerous server. Main bug in DNA ;D Attacker may see any files in system (but only if he know path and filename), may crash server (and exec malicious code) by sending long http request. Examples: www.server.com/../existing_file <-file be showed www.server.com/aa[more than 471 chars] | | #--------------------------------------------------------------# | Exploit: | ~~~~~~~~ Naah, its not interesting. Lets authors code something better. | | #--------------------------------------------------------------# | :wow: | ~~~ NeKr0 /DHG www.dhgroup.org | | #______________________________________________________________# \___________________________da_end___________________________/ Best regards www.dhgroup.org D4rkGr3y icq 540981 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQCVAwUBPtaTMW4LIpseSJmPAQFU5AP/bO2H6whq/DXFdjYndYthn3sC35RlR6Lh TF9tuOZyTPzsRwf0wKZEw3ivtyoAKVL3Qn6a+kCC7XE049TViDujQ5ykevkADl41 aA1E+wqV23xZjJfLuDBuJNgl2TbaJop+qYvrE5Rh83k81q4MdGLAuwQkM57M5xch 5JSPz5M1yC0= =dw5D -----END PGP SIGNATURE-----