Lil' HTTP Server Directory Traversal Vulnerability

["Matthew Murphy" <mattmurphy () kc rr com>]

Lil' HTTP Server is a Windows HTTP server that supports several features in
a relatively compact application.  It is vulnerable to a classic (stupid)
attack:

http://[target]/../../windows/win.ini

This link will read WIN.INI on Windows 95/98/Me, and with a slight
modification ("winnt" instead of "windows") would do the same on an NT box.
Scott Slater, the author of the tool, assured me that "we will look into
this and update it very soon".  This is encouraging to me, but the ease with
which this attack is conducted scares me.