Re: List /home directory without logging in?
From: Gandalf Parker (gandalf_at_most.of.my.favorite.sites)
Date: 07/05/04
- Next message: Alan Baker: "Re: List /home directory without logging in?"
- Previous message: Security Alert: "SSRT4717 rev.0 Remote denial of service in Apache OpenSSL SSL/TLS"
- In reply to: Alan Baker: "List /home directory without logging in?"
- Next in thread: Alan Baker: "Re: List /home directory without logging in?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 05 Jul 2004 16:48:09 GMT
alanwbaker@yahoo.com (Alan Baker) wrote in
news:4e2aa94d.0407042219.3a9d19c9@posting.google.com:
> How could someone list /home without logging in?
Usually a user can see that.Maybe one of your own users? But then a user
can usually see /etc/passwd also so it would be a fairly clueless user.
Especially if the tried lost&found.
Badly managed roots under the web server? Can you go to www.example.net and
add /.. then try /../.. then try /../../.. until you see home?
CGI's with forms that dont check length or semi-colons in the responses?
Any other services running that you havent configured? gopher? ftp? mysql?
Can they go to /home and do an ls?
Gandalf Parker
-- A popular package might mean its good but it doesnt mean its secure.
In fact, quite the opposite.
- Next message: Alan Baker: "Re: List /home directory without logging in?"
- Previous message: Security Alert: "SSRT4717 rev.0 Remote denial of service in Apache OpenSSL SSL/TLS"
- In reply to: Alan Baker: "List /home directory without logging in?"
- Next in thread: Alan Baker: "Re: List /home directory without logging in?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
