Bugtraq mailing list archives
Re: Vulnerability in AOLserver
From: bugtraq () ARTEMAS REACHIN COM
Date: Thu, 8 Feb 2001 22:41:53 -0800
AOLserver v3.2 is a web server available from http://www.aolserver.com. A vulnerability exists which allows a remote user user to break out of the web root using relative paths (ie: '...').
AOLserver v3.2 on Linux (RH 6.0) does not appear to be vulnerable. OS-dependent code?
Correct. Microsoft Windows has an undocumented "feature" where '...\' or '....\' or '......\' point to parent directories. This feature is obscure un documented enough that almost every single web server ported to Windows allows viewing of files above the document root with this feature. In fact, Microsoft's own personal web server had this problem at one point. Linux has had similiar problems with undocumented interfaces. It was discovered about a year ago that by using undocumented calls that restrict privledges, an attacker could set things up a a SUID root application could not drop its root privledges. - Sam
Current thread:
- Re: Vulnerability in AOLserver bugtraq (Feb 10)