Bugtraq mailing list archives
The Simple Server HTTPd Directory Traversal
From: slipy () B10Z NET
Date: Sat, 24 Feb 2001 02:40:02 -0000
Introduction: The Simple Server is a User-Friendly Web Server that handles HTTP requests. It is Windows based and extremely convenient to configure and is coded in Java. It requires the Java Runtime Environment package in order for the program to be able to execute. Please note this program isn't the same as AnalogX's "Simple Server". This program was originally called Free Java Server but has sense been changed to "The Simple Server". The Vendors website is: http://dattaraj_rao.tripod.com/Java/ Download Package at: http://dattaraj_rao.tripod.com/Java/MyServer.zip Problem: Simple Directory Traversal Adding the string "/../" to an URL allows an attacker to view any file on the server provided you know where the file is at in the first place. Examples: http://www.VULNERABLE.com/../../../../Scandisk.log ^^ = Will obviously open the Scandisk.log file. Note: The ../'s depend on where the httpd is installed and what file you are attempting to view. Solution: Vendor has been contacted. Waiting for a reply. -------------------- b10z HTTPd advisory. slipy () b10z net February 23rd, 2001.
Current thread:
- The Simple Server HTTPd Directory Traversal slipy (Feb 26)