myServer Input Validation Flaw Discloses Files on the System to Remote Users
Categorie: Vulnerability Posted: 2003-09-27 by ReCall Views: 389 Source: Click here
Current Rating: Not rated
Details
Description: Arnaud Jacques (aka scrap) reported a directory traversal vulnerability in myServer. A remote user can view arbitrary files on the system with the privileges of the web service.
It is reported that a remote user can submit a specially crafted URL to view files on the system that are located outside of the web document directory. To exploit this flaw, the URL must be composed of a combination of directory traversal characters. For each change in directory level, the URL should contain the '/.' string once for each change plus an additional occurrence, followed by the appropriate number of '/..' strings. Some demonstration examples are provided:
