From: cwright@bdosyd.com.au
Date: Tue Oct 30 2007 - 18:16:26 EST
Poorly formated uploads could also be used to try a heap or stack attack.
Regards,
Craig Wright (GSE-Compliance)
---in reply to ---
I tried doing a few commands after I telneted to it but it required more rights. I the only venue of sucess I got so far was loging in to the admin management page of the site, which is where I was trying to see if I could get further.
Sent via BlackBerry from T-Mobile
-----Original Message-----
From: cwright (at) bdosyd.com (dot) au [email concealed]
Date: 29 Oct 2007 21:38:47
To:pen-test (at) securityfocus (dot) com [email concealed]
Subject: Re: Pentesting Webserver
Have you tested to see if the FTP server is allowing uploads? Is the upload directory shared if one exists? I would not bypass FTP so soon.
Don?t forget the 2001 Apache compromise?
See Hal Pomeranz?s PPT at http://www.baylisa.org/library/slides/2002/baylisa-oct02.pdf
Regards,
Craig Wright
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:11 EDT