Reported March 9, 2003, by Dennis Rand.
Minihttp’s Forum Web Server version 1.60
The discover posted the following scenarios as proof of concept:
Within the FileSharing area, press the "Upload new file" button, now in the upload field write:
This will now be "uploaded" to the area where you selected.
When posting or replying to a message in the "Message Forum" it is possible to exploit an XSS vulnerability. The vulnerability exists in both in the Subject and Message property.
Insert this into either Subject or Message property:
< script>alert('I OwN You');</script>
Using the Traversal vulnerability it is possible to get the whole username and password file used by the Forum Web Server. This is done by simply supplying the following "upload file": \\<vuln-host>\c$\program Files\web forums server\user.ini. The usernames and passwords themselves are stored in clear text.
The vendor, Minhttp has released a version 1.61, which not vulnerable to this condition.
Discovered by Dennis Rand.