Reported October 3, 2003 by Bahaa Naamneh.

 

 

VERSIONS AFFECTED

 

Minihttpserver File Sharing for net 1.5

 

DESCRIPTION

 

A directory-traversal vulnerability in Minihttpserver File Sharing for net 1.5 can permit an attacker read access to any file outside the intended Web-published file system directory. The attacker can exploit the vulnerability by using the '../' or '..\' string in a URL.

 
DEMONSTRATION
 
The discoverer posted the following demonstration as proof of concept:
 
Examples:

 

---------

 

http://127.0.0.1/../../../ Program Files/FileSharing for NET/User.ini

 

http://127.0.0.1/../../../windows/win.ini

VENDOR RESPONSE

Minihttpserver.net has been notified and will release a patch for this vulnerability.

CREDIT

Discovered by Bahaa Naamneh.