Adobe web server wide open

["Paul Ferguson" <fergdawg () netzero net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Via heise Security.

[snip]

One of Adobe web server's CGI scripts contains a critical directory
traversal vulnerability which allows access to arbitrary system files.
Opening a specially crafted URL in a browser is all that is required to
display file contents. Apart from config files it is also possible to view
log files, SSL keys and password files. Which key pair the retrievable
private SSL key belongs to remains to be established; so far it does not
seem to correspond to any of the known Adobe SSL certificates.

It is unclear whether this vulnerability affects Adobe's web shop and
allows the retrieval of customer data. However, URLs are already being
circulated in forums and chats, and it should only be a matter of time
until someone accesses this type of information. Adobe has already been
informed about the problem via email. We must wait and see how quickly the
software company will respond. 

[snip]

Link:
http://www.heise-security.co.uk/news/96605

Also:
http://isc.sans.org/diary.html?storyid=3423

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFG+snSq1pz9mNUZTMRAu96AKClaOhlyS4eKOEOVrmOlmryv8TSKwCg/jAo
Jxlay0ALfbfSJdgOkCCVZ7A=
=/Nd5
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.