AnalogX Directory Traversal

Reported July 31, 2000 by Foundstone

VERSIONS AFFECTED

SimpleServer 1.06

DESCRIPTION

SimpleServer adequately protects against directory traversal when attempted via the typical dot dot slash (../) syntax. However, if the ASCII characters for the dots are replaced with their hexidecimal equivalent (%2E) then directory traversal can succeed.

DEMONSTRATION

http://TestWebServer/%2E%2E/filename.ext

VENDOR RESPONSE

AnalogX released an updated version 1.07 of the product, which corrects the vulnerability.

CREDIT
Discovered by Foundstone

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish