Eserv 2.50 Web Server Directory Traversal Vulnerability
Reported November 8, 1999 by USSRLabs
UssrLabs discovered a problem with the Eserv Web Server, where directories may be traversed using the string "../" in a URL. Throw this problem, an attacker can gain read access to any file outside of the intended web-published filesystem directory.
A URL such as http://127.1:3128/../../../conf/Eserv.ini can be used to show the contents of the site"s configuration file, including user account names.
VENDOR RESPONSENone as of November 8, 1999.
Reported by USSRLabs
Posted here at NTSecurity.NET on November 8, 1999