WhitSoft's SlimServe HTTPd Web Server Gives Users Remote Access to Files Outside of the Server's Main Directory
|
|
SecurityTracker Alert ID: 1000992 |
|
SecurityTracker URL: http://securitytracker.com/id/1000992
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 6 2001
|
Impact:
Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Version(s): ver. 1.1a
|
Description:
The SlimServe HTTPd web server allows authorized users to access files that reside outside of the server's web root directory.
According to the report, if you disable folder listings (a feature that is enabled by default), you will be save from viewing directories outside of the web server's web root directory. However, you will not be safe from file downloads where the file paths and names are known or can be guessed.
The vendor has reportedly been contacted.
|
Impact:
Authorized users can remotely access files that reside outside of the web server's root directory.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.whitsoftdev.com/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 3 Mar 2001 09:36:52 -0000
Subject: SlimServe HTTPd ver. 1.1a Directory Traversal
|
it is possible to view dir. and (download) files outside
of the wwwroot directory.
Exploit:
http://127.0.0.1/.../
http://127.0.0.1/.../.../directory/file.xxx
Solution:
disable folder listings (it is enabled by default), which
will secure you from
viewing dir. outside of the wwwroot dir.But it is still
possible to download
or view files when the location is known.
the author has been contacted on 03.March.2001.
No reply was received yet.
se00020@fhs-hagenberg.ac.at
|
|
