[24377] in bugtraq
SecurityOffice Security Advisory:// Essentia Web Server Directory Traversal Vulnerability
daemon@ATHENA.MIT.EDU (Tamer Sahin)
Fri Feb 22 14:33:24 2002
Message-ID: <003b01c1bb2f$9daa1130$b0b083d9@ts>
Reply-To: "Tamer Sahin" <ts@securityoffice.net>
From: "Tamer Sahin" <ts@securityoffice.net>
To: <bugtraq@securityfocus.com>
Date: Fri, 22 Feb 2002 01:29:31 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Essentia Web Server Directory Traversal Vulnerability
Type:
Directory Traversal
Release Date:
February 22, 2002
Product / Vendor:
The Essentia Web Server provides Enhanced Web Application and
Communication Services. Whether you are setting up a simple Web Site
on your Corporate Intranet or creating large sites for the Internet,
Essentia provides a simple and flexible way to make an even stronger
Web and Applications Platform.
http://www.essencomp.com/
Summary:
Adding the string "/../" to an URL allows an attacker to view and
download any file on the server.
http://host/../../
Tested:
Windows 2000 / Essentia Web Server 2.1
Vulnerable:
Essentia Webserver 2.1 (And may be other.)
Disclaimer:
http://www.securityoffice.net is not responsible for the misuse or
illegal use of any of the information and/or the software listed on
this security advisory.
Author:
Tamer Sahin
ts@securityoffice.net
http://www.securityoffice.net
Tamer Sahin
http://www.securityoffice.net
PGP Key ID: 0x2B5EDCB0
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA+AwUBPHWC2ruLpFMrXtywEQIznACWIVpTJ1X6NQqoMEyywWaNV19BowCgmeQt
at/GRkKMMQT1rGYMUK5RfGc=
=0tV7
-----END PGP SIGNATURE-----
