Vulnerability

    Jana HTTP Server

Affected

    Jana HTTP Server

Description

    eAX found following.  He  found a directory travelling bug  again,
    this time in JANA HTTP Server software available as freeware  from
    http://www.jana-server.ocm.de.

    Here is how to exploit the bug for cracking systems running  Jana.
    eAX tested it with Jana 1.45 on Windows 98 and Windows 2000:

        1. Open a browser window
        2. Type i.e http://the.server.com/./.././.././.././windows/win.ini

    You will  notice that  the server  offers you  to download win.ini
    (if  Jana  is   installed  in  the   default  path,  otherwise   a
    modification is  requiered).   You can  imagine how  to modify the
    URL, to download any file you want.

Solution

    Nothing yet.