[VIM] Webmin traversal - changelog

Steven M. Christey coley at linus.mitre.org
Tue Jul 11 16:02:14 EDT 2006

On Tue, 11 Jul 2006, George A. Theall wrote:

> > //[url]/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01
> > /..%01/[file]
> > (the "/..%01" sequence is repeated 61 times).
> Yes, it's *very* similar to the exploit I used when I wrote my Nessus
> plugin to test for the original flaw:
>   http://www.nessus.org/plugins/index.php?view=viewsrc&id=21785

"*very*" is an understatement :

So now the question is, what's happening here - why is the "%01" working?
Is it getting removed entirely after the ".." check, or does the
underlying OS just ignore the 0x01 byte?  If the latter, then that's a
pretty interesting feature.

- Steve

More information about the VIM mailing list