Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
icon4.gif   Buffer Overflow?, posted by Chris Warner on Wed Jan 18 17:20:45 2006 
    icon2.gif   Re: Buffer Overflow?, posted by Stefan Ritt on Thu Jan 19 10:31:05 2006 
       icon7.gif   Re: Buffer Overflow?, posted by Chris Warner on Fri Jan 20 02:53:40 2006 
Message ID: 1608     Entry time: Thu Jan 19 10:31:05 2006     In reply to: 1607     Reply to this: 1615
Icon: Reply  Author: Stefan Ritt  Author Email: stefan.ritt@psi.ch 
Category: Bug report  OS: Linux  ELOG Version: 2.6 
Subject: Re: Buffer Overflow? 

Chris Warner wrote:
Users can access root level directories by using a modified URL. I saw on some security web sites that this was a problem in previous versions. Was it not fixed in 2.6?

To recreate enter http://yourhost.yourdomain.com/../../../../etc/passwd

view your password file in the browser.

If this was previously reported, is there a fix?

Chris Warner


Thanks for telling me, I didn't know. I was able to reproduce your problem under certain conditions, and I just released version 2.6.1 to fix it. However it has nothing to do with an old buffer overflow (see elog:941).

I would strongly advise everybody to upgrade as soon as possible.
ELOG V3.1.5-fe60aaf