SimpleServer:WWW Hex Encoded URL Directory Traversal Vulnerability

SimpleServer:WWW is a freely available HTTP daemon available from AnalogX. It is designed for simplicity of operation.

A problem with the web server could allow a remote user to execute arbitrary commands, and potentially gain local access to the system. The problem is in the validation of URLs that have been encoded in hex. By encoding an URL in hex, it is possible to bypass any filtering for directory traversal, and execute arbitrary programs on the local system.


 

Privacy Statement
Copyright 2010, SecurityFocus