Hi bugtraq again... Now i' ve found another vulnerability in BPM STUDIO PRO 4.2 http server implementation. Anyone can download any file in some host running this software simply like performing this http request : http://BPM-HOST/../../../../autoexec.bat http server is not activated by default... byes ----------------------------------------------- ][-][UNTER Infobyte Security Research Crew Buenos Aires, Argentina -----------------------------------------------
