Reported October 3, 2003 by Bahaa Naamneh.

 

 

VERSIONS AFFECTED

 

Minihttpserver File Sharing for net 1.5

 

DESCRIPTION

 

A directory-traversal vulnerability in Minihttpserver File Sharing for net 1.5 can permit an attacker read access to any file outside the intended Web-published file system directory. The attacker can exploit the vulnerability by using the '../' or '..\' string in a URL.

<span style="font-family:Verdana"> </h3>
<b><span style="font-family:Verdana;
color:purple">DEMONSTRATION</h3></b>
 
<span style="font-family:
Verdana">The discoverer posted the following demonstration as proof of concept:</h3>
  <span style="font-size: 10.0pt; font-family: Courier New">Examples:</h3>

 

---------

 

http://127.0.0.1/../../../ Program Files/FileSharing for NET/User.ini

 

http://127.0.0.1/../../../windows/win.ini

VENDOR RESPONSE

<span style="font-family:Verdana"><a href="http://www.minihttpserver.net/home/index.php">Minihttpserver.net</a> has been notified and will release a patch for this vulnerability.</h3>

CREDIT

Discovered by Bahaa Naamneh.