-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Directory Traversal is not only a web-server vulnerability, neza0x. Webapps can be vulnerable as well. Or 3rd party [nginx|apache|etc] modules, for that matter. On 11/03/2010 05:49 PM, neza0x@xxxxxxxxx wrote: > Directory Traversal still alive? I mean, does your tool bypass Apache, IIS latest versions? Or it is applicable to IIS 4? > > It would be nice to have new techniques, improve multi-byte encoders and so on. > > Sent via BlackBerry from Danux Network > > -----Original Message----- > From: "chr1x" <chr1x@xxxxxxxxxxxxx> > Date: Fri, 29 Oct 2010 23:47:20 > To: <full-disclosure@xxxxxxxxxxxxxxxxx>; <websecurity@xxxxxxxxxxxxx> > Cc: <webappsec@xxxxxxxxxxxxxxxxxxxxxxx>; <bugtraq@xxxxxxxxxxxxxxxxx> > Subject: [WEB SECURITY] [TOOL] DotDotPwn v2.1 - The Directory Traversal Fuzzer > CubilFelino Security Research Lab and Chatsubo (IN) Security Labs > proudly present... > > DotDotPwn v2.1 - The Directory Traversal Fuzzer > =============================================== > > Authors: Christian Navarrete (chr1x @ http://chr1x.sectester.net) and > Alejandro HernÃndez H. (nitr0us @ http://chatsubo-labs.blogspot.com) > > Release date: 29/Oct/2010 (PUBLIC Release at BugCon Security Conferences > 2010) > > Tool Description > ================ > It's a very flexible intelligent fuzzer to discover traversal directory > vulnerabilities in software such as Web/FTP/TFTP servers, Web platforms > such as CMSs, ERPs,Blogs, etc. Also, it has a protocol-independent > module to send the desired payload to the host and port specified. On > the other hand, it also could be used in a scripting way using the > STDOUT module. > > It's written in perl programming language and can be run either under > *NIX or Windows platforms. > > Fuzzing modules supported in this version: > - HTTP > - HTTP URL > - FTP > - TFTP > - Payload (Protocol independent) > - STDOUT > > Discovered Vulnerabilities > ========================== > > - HTTP (4 security advisories) > * MultiThreaded HTTP Server @ > http://www.inj3ct0r.com/exploits/11894 > * Wing FTP Server v3.4.3 @ > http://packetstormsecurity.org/1005-exploits/wingftp-traversal.txt > * Yaws 1.89 > * Mongoose 2.11 > > - FTP (2 security advisories) > * VicFTPS v5.0 @ http://www.inj3ct0r.com/exploits/12131 > * Home FTP Server vr1.11.1 (build 149) @ > http://www.exploit-db.com/exploits/15349 > > - TFTP (2 security advisories) > * TFTP Desktop 2.5 @ http://www.exploit-db.com/exploits/14857 > * TFTPDWIN v0.4.2 @ http://www.exploit-db.com/exploits/14856 > > > Download > ======== > Official site: http://dotdotpwn.sectester.net > Mirror site: http://chatsubo-labs.blogspot.com > > Contact > ======= > Contact: dotdotpwn@xxxxxxxxxxxxx > > Vote for DotDotPwn as tool for next BackTrack release!! -> > http://www.backtrack-linux.org/forums/tool-requests/32082-dotdotpwn.html > > > ---------------------------------------------------------------------------- > Join us on IRC: irc.freenode.net #webappsec > > Have a question? Search The Web Security Mailing List Archives: > http://www.webappsec.org/lists/websecurity/archive/ > > Subscribe via RSS: > http://www.webappsec.org/rss/websecurity.rss [RSS Feed] > > To unsubscribe email websecurity-unsubscribe@xxxxxxxxxxxxx and reply to > the confirmation email > > Join WASC on LinkedIn > http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > - -- Arturo "Buanzo" Busleiman :. Independent Linux and Security Consultant - OWASP - SANS - OISSG . http://www.buanzo.com.ar/pro/eng.html ..: http://www.cervezacicuta.com.ar - "LA" Cerveza Artesanal de Villa Bosch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEAREKAAYFAkzSxJUACgkQAlpOsGhXcE1K5ACdEmzYELsPRhM7KE6Bpy4FHbLZ lXEAn0dp6zsGR40SNmluN031oFAHnOsp =FGhN -----END PGP SIGNATURE-----
