TUCoPS :: Web :: General :: web5091.htm

Sybex E-Trainer directory traversal vulnerability
12th Feb 2002 [SBWID-5091]

	Sybex E-Trainer directory traversal vulnerability


	All current ?? (as of 12 February 2002)


	ZeroBreak posted :

	The vulnerability that takes place  is  the  infamous  \"..\"  directory
	traversal. With a specially crafted request to the web  server  you  can
	view any file on the  target\'s  computer  under  the  logged  in  users
	permissions. The request is in the format of:



	The web server is only running when a user runs  the  e-trainer  course.
	When the user closes  the  browser  the  web  server  also  shuts  down.
	However if the user opens  the  e-trainer  and  uses  the  same  browser
	window to start browsing other websites, the web server will stay  open.
	This could cause the vulnerable server to be running for an even  longer
	period of time. It should also be noted that this  web  server  has  not
	logging features and it is open to any  connection  requests.  Not  just
	from the local host.


	None yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH