Hi Jeremy
On 06-05-2011 05:21, Jeremy Laidman wrote:
Peoples
I've discovered a directory traversal vulnerability in the svcstatus.c
file, allowing a remote attacker to view any file on the filesystem
that's visible to the web server user. When viewing a specific
historical entry, and then setting the parameter for TIMEBUF to
"../../../..(etc)/path/to/file" you get to view the file.
Definitely not a good feature to have.
Fixed in version 4.3.3 which should be available from Sourceforge now. There were a couple of other places which could potentially have the same type of issue - I've fixed those as well.
4.3.3 also fixes a couple more cross-site scripting vulnerabilities, and has the "normal" bugfixes that have accumulated.
Regards,
Henrik