Reported January 19, 2001, by Strumpf Noir
A vulnerability has been identified in LocalWeb 2000. By adding "../" to a URL, a malicious attacker can read files outside of the webroot directory. DEMONSTRATION The following URL retrieves and displays the autoexec.bat file: http://vulnerable.webserver.com:80/../../../autoexec.bat VENDOR RESPONSE The vendor has been notified and has communicated its intent to fix this problem in a future version of LocalWeb. See the vendor's Web site for more information: http://www.intranet-server.co.uk CREDIT |
1 comment
Hide comments