Easy File Sharing Web Server Traversal Arbitrary File/Directory Access

2003-09-16T04:15:26
ID OSVDB:3352
Type osvdb
Reporter OSVDB
Modified 2003-09-16T04:15:26

Description

Vulnerability Description

Easy File Sharing Web Server contains a flaw that may allow a malicious user to traverse directories. A remote attacker could send a specially-crafted HTTP request to the server containing "dot dot" (/../) sequences in the URL to traverse directories and view directory listings and arbitrary files outside of the Web root directory.

Solution Description

Upgrade to version 1.21 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Easy File Sharing Web Server contains a flaw that may allow a malicious user to traverse directories. A remote attacker could send a specially-crafted HTTP request to the server containing "dot dot" (/../) sequences in the URL to traverse directories and view directory listings and arbitrary files outside of the Web root directory.

Manual Testing Notes

http://[target]/../../../autoexec.bat http://[target]/.../.../.../program files/Easy File Sharing Web Server/users.sdb

References:

Vendor URL: http://www.sharing-file.com/ Secunia Advisory ID:9736 Related OSVDB ID: 2552 Other Advisory URL: http://packetstormsecurity.nl/0309-exploits/easyfile.txt Keyword: Directory Traversal ISS X-Force ID: 13199 Bugtraq ID: 8632