[Systems] False positive

Ivan Krstić krstic at solarsail.hcs.harvard.edu
Fri Mar 13 08:29:49 EDT 2009

On Mar 13, 2009, at 11:39 AM, Bernie Innocenti wrote:
> The second one comes from the new web site.  It returns 200, but  
> doesn't discolose the contents of passwd.

Only by luck. I patched the version on solarsail to remove the  
directory traversal vulnerability and implement caching, and Christian  
will use that one in the future.

Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | http://radian.org

More information about the Systems mailing list