Surfboard httpd Traversal Arbitrary File Access

2003-12-01T07:01:17
ID OSVDB:2883
Type osvdb
Reporter OSVDB
Modified 2003-12-01T07:01:17

Description

Vulnerability Description

Surfboard httpd contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker executes a standard directory traversal attack, which will disclose the contents of any file on the system resulting in a loss of confidentiality and integrity.

Solution Description

Upgrade to version 1.1.9 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Patch the 1.1.8 distribution with the code provided by Luigi Auriemma in the original advisory.

Short Description

Surfboard httpd contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker executes a standard directory traversal attack, which will disclose the contents of any file on the system resulting in a loss of confidentiality and integrity.

Manual Testing Notes

http://server/../etc/passwd http://server/../../../etc/passwd

References:

Secunia Advisory ID:10327 Related OSVDB ID: 2909 Other Advisory URL: http://aluigi.altervista.org/adv/surfd-adv.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-11/0351.html ISS X-Force ID: 13884 Bugtraq ID: 9132