| VID |
22396 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The CherryPy web server is vulnerable to a directory traversal vulnerability in the staticfilter module. CherryPy is a pythonic, object-oriented web development framework. CherryPy versions prior to 2.1.1 are vulnerable to a directory traversal vulnerability in the staticfilter module. By sending a specially-crafted URL request to the staticfilter module containing "dot dot" sequences (/../) in various parameters, a remote attacker could traverse directories on the Web server to read arbitrary files on the affected host subject to the permissions of the web server user id.
* References:
http://www.frsirt.com/english/advisories/2006/0677
http://secunia.com/advisories/18944
* Platforms Affected:
CherryPy.org, CherryPy versions prior to 2.1.1
Any Operating system Any version |
| Recommendation |
Upgrade to the latest version of CherryPy (2.1.1 or later) available from the CherryPy Download page at http://www.cherrypy.org/wiki/CherryPyDownload |
| Related URL |
CVE-2006-0847 (CVE) |
| Related URL |
16760 (SecurityFocus) |
| Related URL |
24809 (ISS) |
|
