The Simple Server HTTPd Directory Traversal

[slipy () B10Z NET]

Introduction:

The Simple Server is a User-Friendly Web Server 
that handles HTTP requests. It is Windows based 
and extremely convenient to configure and is coded 
in Java. It requires the Java Runtime Environment 
package in order for the program to be able to 
execute. Please note this program isn't the same as 
AnalogX's "Simple Server". This program was 
originally called Free Java Server but has sense been
changed to "The Simple Server".


The Vendors website is:
http://dattaraj_rao.tripod.com/Java/

Download Package at:
http://dattaraj_rao.tripod.com/Java/MyServer.zip


Problem: Simple Directory Traversal

Adding the string "/../" to an URL allows an attacker to 
view any file on the server provided you know where 
the file is at in the first place. 


Examples:

http://www.VULNERABLE.com/../../../../Scandisk.log
^^ = Will obviously open the Scandisk.log file.


Note: The ../'s depend on where the httpd is installed 
and what file you are attempting to view. 


Solution:

Vendor has been contacted. Waiting for a reply.

--------------------
b10z HTTPd advisory.
slipy () b10z net

February 23rd, 2001.