In-Reply-To: <20021010180935.14148.qmail@mail.securityfocus.com> >Received: (qmail 22343 invoked from network); 10 Oct 2002 18:54:28 -0000 >Received: from outgoing2.securityfocus.com (HELO outgoing.securityfocus.com) (205.206.231.26) > by mail.securityfocus.com with SMTP; 10 Oct 2002 18:54:28 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing.securityfocus.com (Postfix) with QMQP > id E32B88F2D4; Thu, 10 Oct 2002 11:59:02 -0600 (MDT) >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@securityfocus.com> >List-Help: <mailto:bugtraq-help@securityfocus.com> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> >List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Received: (qmail 22655 invoked from network); 10 Oct 2002 18:05:58 -0000 >Date: 10 Oct 2002 18:09:35 -0000 >Message-ID: <20021010180935.14148.qmail@mail.securityfocus.com> >Content-Type: text/plain >Content-Disposition: inline >Content-Transfer-Encoding: binary >MIME-Version: 1.0 >X-Mailer: MIME-tools 5.411 (Entity 5.404) >From: thefastkid <thefastkid@ziplip.com> >To: bugtraq@securityfocus.com >Subject: MondoSearch show the source of all files > > Although the Mondosoft was not notified prior to the posting, Mondosoft has reacted quickly and have remedied the situation within 24 hours by which time all Mondosoft customers where notified. See the following: Secure your site without updating: http://www.mondosoft.com/security- info.asp Obtaining an update: http://www.mondosoft.com/security-update.asp > >MondoSearch show the source of all files >-------------------------------------------- > >Affected Program: MondoSearch 4.4 >(possibly earlier versions too, but not tested) >Vendor: http://www.mondosoft.com >Vendor Status: not informed yet >Discovery Date: 10 oct 2002 > >Problem >------- >You can see the source of the files, who are in the same >directory and subdirectories > > >Example >------- >http://www.foo/cgi-bin2/MsmMask.exe?mask=/ >foo.asp ..to see the source of foo.asp in the root dir > > >Solutions >--------- >* The program have to check if is real .cfg file >
