| VID |
22223 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The MyServer web server is vulnerable to a Directory Traversal Vulnerability using dot-dot URL.
MyServer is a freely available Web server for Microsoft Windows and Linux-based platforms.
The version 0.4.3 and earlier of MyServer allows a remote attacker to read files and directories that reside outside the web root directory. By sending send a specially crafted dot-dot URL with the same number of "/./" and "/../" + 1 as the following,
http://[target_server]/././..
http://[target_server]/./././../..
http://[target_server]/././././../../..
http://[target_server]/./././././../../../..
a remote attacker can traverse or read any file and directories outside of the root directory on the server.
* References:
http://www.securiteinfo.com/attaques/hacking/myServer0_4_3.shtml
http://www.securityfocus.com/archive/1/339145
http://packetstormsecurity.nl/0309-exploits/myserver043.txt
* Platforms Affected:
MyServer 0.4.3 and earlier |
| Recommendation |
Upgrade to the latest version of MyServer (0.5 or later), available from MyServer web site at
http://sourceforge.net/project/showfiles.php?group_id=63119 |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
