Core Security Technologies Advisory - MacOS X Server 10.5, also known as Leopard Server, features a Wiki Server, which is a multiuser web application written in Python. The Wiki Server is vulnerable to a path traversal attack, which can be exploited by non-privileged system users via a forged file upload to write arbitrary files on locations in the server filesystem, restricted only by privileges of the Wiki Server application.
c67ec7aad2757e9458328c5a8740092dd9f2f141c751d7cdcaf51eb246f95da2