Reported August 24, 2000 by Crono
- O'Reilly Website Pro 2.3.7
By default Website Pro creates several directories for use during the operation of the Web server, which have loose security permissions that allow any user to access them. One directory in particular (cgi-win) contains a program (uploader.exe) that allows a user to upload files to the Web server. Because the directory and uploader.exe program have loose security permissions, an anonymous user can access the program via a URL to upload files to the Web server.
O'Reilly is aware of this problem, however no response was known at the time of this writing. Users should carefully inspect the security permissions for each Web server directory to ensure no unauthorized access would be allowed.
Discovered by Crono