Reported September 18, 2003, by Bahaa Naamneh.
Plug & Play Software' s Plug & Play Web Server for Windows
<span style="font-family:Verdana">A vulnerability in Plug & Play Software's Plug & Play Web Server for Windows can result in unauthorized read access to any file located on the vulnerable server. By using the "../" or "..\" string in a URL, an attacker can gain read access to any file that resides outside the intended Web-published file system directory.</h3>
The discoverer posted the following code as proof of concept:
http://localhost/../../ \[show the files and the folders in C drive - if the 'Show Directory list when homepage does not exist' option is active.\]
<span style="font-family:Verdana"><a href="http://www.pandpsoftware.com/" style="color: blue; text-decoration: underline; text-underline: single">Plug & Play Software</a> has been notified.</h3>
Discovered by Bahaa Naamneh.