Miniwebsvr 0.0.6 - Directory traversal

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Miniwebsvr 0.0.6 - Directory traversal
From: Daniel Nyström <daniel.nystrom@xxxxxxxxx>
Date: Mon, 12 Feb 2007 00:25:49 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcdOM/aLrOYNAnKARd2CfxlY6oQtfA==

Hello!

Miniwebsvr 0.0.6 suffers from a directory traversal flaw.

"Exploit" :

        http://yoursite/..%00


Attack vector seems limited as you're only able to list one level down.

Cheers,

Daniel Nyström, daniel.nystrom@xxxxxxxxx
Fredrik Wessberg, fredd3@xxxxxxxxxxx

Prev by Date: Firefox/MSIE focus stealing vulnerability - clarification
Next by Date: Re: Re[2]: Ipswitch WS_FTP Server 5.04 multiple arbitrary code execution vulnerabilities
Previous by thread: Re: DotClear Full Path Disclosure Vulnerability
Next by thread: Radical Technologies - Portal Search- multiple XSS issue
Index(es):
- Date
- Thread