Reported September 18, 2003, by Bahaa Naamneh.
Plug & Play Software' s Plug & Play Web Server for Windows
A vulnerability in Plug & Play Software's Plug & Play Web Server for Windows can result in unauthorized read access to any file located on the vulnerable server. By using the "../" or "..\" string in a URL, an attacker can gain read access to any file that resides outside the intended Web-published file system directory.
The discoverer posted the following code as proof of concept:
http://localhost/../../ \[show the files and the folders in C drive - if the 'Show Directory list when homepage does not exist' option is active.\]
Plug & Play Software has been notified.
Discovered by Bahaa Naamneh.