💾 Archived View for alexey.shpakovsky.ru › gemlog › disabling-path-traversal.gmi captured on 2023-11-14 at 07:52:31. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2022-03-01)
-=-=-=-=-=-=-
Originally posted: 2022-02-05 ~ Last updated: 2022-02-12
In recent two days, two gemini servers fixed path traversal vulnerabilities.
First, thanks to Acidus for responsibly disclosing, and int80h for promptly fixing the issue in gemserv:
Second, the JAGS-PHP developer Matthias Weiß fixed an issue (pointed out by Tyler Spivey) in the JAGS-PHP server:
Is it a weekend of fixing path traversal vulnerabilities in gemini clients? Naturally I decided to support this trend and fix the well-known path traversal vulnerability in my simple bash gemini server. So now when it detects a path traversal attempt - it prints its own source code, instead! :D
That was a fun joke, but two days later I removed in and uploaded the code to github. Please refer to the original article on how and where to get the code:
Original article announcing the Gemini server written in bash.
Please feel free everyone to check if you can find any vulnerabilities there!
Also I've added titan support and "donate" ;) button (link, actually) and titan protocol, so now I can edit posts in the same application as where I read them! It's a subject for future posts, but if you manage to find a vulnerability there (or figure out my titan password) - please do let me know!