Reported November 20, 2003, by nimber.
Net-X Solutions Ltd’s NetServe 1.0.7
Two newly discovered vulnerabilities in Net-X Solutions Ltd’s NetServe 1.0.7 can result in the remote compromise of the vulnerable system. The first vulnerability is a directory-traversal vulnerability, and the second vulnerability is a configuration- and password-disclosure vulnerability.
The discoverer has posted the following scenarios as proof of concept:
The NetServe server doesn’t properly filter " /../../ ", thereby permitting an attacker to view files that reside below the bounding HTML root directory.
You can view either directories http://\[victim\]/../test/, or files http://\[victim\]/../test/test.txt.
By default, NetServe's configuration files contain a directory below the wwwroot's. Using the above vulnerabilities, a remote attacker can download the remote server's configuration by requesting a special URL.
By requesting http://\[victim\]/../config.dat, an attacker can view the server's configuration file.
Net-X Solutions Ltd has been notified.
Discovered by nimber.