| VID |
22300 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Cherokee Web Server, according to its version number, has a directory traversal vulnerability. Cherokee Web Server is a compact, open-source web server for Microsoft Windows, Linux and Unix-based operating systems. Cherokee versions 0.2.7 and earlier do not filter '../' sequences from HTTP requests. As a result, it is possible for a remote attacker to request and read files outside the Cherokee HTTP root directory. A remote attacker could browse any file on the filesystem, as the web server is running with root privileges.
* Note: This check solely relied on the version number of the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://www.kb.cert.org/vuls/id/464827
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0085.html
* Platforms Affected:
Cherokee Development Team, Cherokee 0.2.8 and prior
Unix Any version
Linux Any version |
| Recommendation |
Upgrade to the latest version of Cherokee (0.2.8 or later), available from the Cherokee Download Web page at http://www.alobbs.com/cherokee/download |
| Related URL |
CVE-2001-1432 (CVE) |
| Related URL |
3771,3772 (SecurityFocus) |
| Related URL |
7799 (ISS) |
|
