Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

A correction to "UNIRAS ALERT - 34/04"

From: Ulf Härnhammar <Ulf.Harnhammar.9485 () student uu se>
Date: Tue, 21 Sep 2004 17:58:42 +0200

----- Forwarded message from Ulf Härnhammar <Ulf.Harnhammar.9485 () student uu se>
-----
    Date: Thu, 16 Sep 2004 12:24:39 +0200
    From: Ulf Härnhammar <Ulf.Harnhammar.9485 () student uu se>
Reply To: Ulf Härnhammar <Ulf.Harnhammar.9485 () student uu se>
 Subject: A correction to "UNIRAS ALERT - 34/04"
      To: vulteam () niscc gov uk

Hello,

I think this paragraph from your alert 34/04 is misleading:


However for this vulnerability to be exploited, an attacker must first
induce a normal user to install the malicious configuration files onto
their servers before a exploit can take place.


In the scenario that I and SITIC have described, the attacker is the normal 
user. If Peter is a customer of MegaISP, which allows their users to configure 
their web pages with .htaccess files, Peter can hack MegaISP by storing 
malicious .htaccess files in his web space at MegaISP. Thus, there is no need 
for an attacker to induce a normal user to do anything.

Please correct this.

// Ulf Harnhammar

----- End of forwarded message -----

BTW, I wrote some more about this vulnerability in my Advogato blog.

-- 
Ulf Harnhammar
http://www.advogato.org/person/metaur/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: