Date: Fri, 21 Jul 2000 14:14:27 -0700 From: Max Vision <vision@WHITEHATS.COM> Subject: Re: Roxen Web Server Vulnerability To: BUGTRAQ@SECURITYFOCUS.COM On Fri, 21 Jul 2000 zorgon@SDF.FREESHELL.ORG wrote: > * Second problem: > If you typed the URL: http://www.victim.com/%00/, you will see the contents of site > in question. This vulnerability was directly tested on the Roxen's web site: > http://www.roxen.com > Hi, I ran a quick test can determined the following: Sites NOT affected (versions according to http banner): Roxen-Challenger/1.1 Roxen-Challenger/1.1.1 Roxen-Challenger/1.3.111 Roxen-Challenger/1.3.120 Roxen-Challenger/1.3.121 Roxen-Challenger/1.3.122 Roxen-Challenger/1.3.122-11 Roxen-Challenger/1.3.126 Roxen-Challenger/1.3.32 Roxen-Challenger/1.2.46 Roxen-Challenger/1.4.38 Roxen/2.0.29 Roxen/2.0.67 (such as www.roxen.com as of 07-21-2000) Sites where this DOES work (neat, reminicent of ?PageServices :) Roxen/2.0.46 Roxen/2.0.50 (current distribution available for download!) Roxen/2.0.52 Roxen/2.0.66 Max Vision http://whitehats.com/