AWeb Arbitrary File Access

2004-05-05T03:11:42
ID OSVDB:5881
Type osvdb
Reporter Oliver Karow(oliver@greyhat.de)
Modified 2004-05-05T03:11:42

Description

Vulnerability Description

AWeb contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the server not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the URI.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

AWeb contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the server not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the URI.

Manual Testing Notes

http://[victim]/../../../../../boot.ini

References:

Vendor URL: http://www.aldostools.com Secunia Advisory ID:11542 Related OSVDB ID: 5880 Other Advisory URL: http://www.oliverkarow.de/research/AldosWebserverMultipleVulns.txt Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-05/0013.html Keyword: Directory Traversal