Abyss Web Server version 1.0.3 shows file and directory content

From: Securiteinfo.com (webmasterat_private)
Date: Mon Jul 29 2002 - 10:56:42 PDT

Next message: kokane: "KDE 2/3 artsd 1.0.0 local root exploit"

Previous message: John Korsak: "Hoax Exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Abyss Web Server version 1.0.3 shows file and directory content


.oO  Overview Oo.
Abyss Web Server version 1.0.3 shows file and directory content
Discovered on 2002, June, 30th
Vendor: Aprelium

Abyss Web Server 1.0.3 is a free personal web server available for Windows 
and Linux operating systems. This web server can show file and directory 
content. Only Windows version of Abyss is vulnerable.


.oO  Details Oo.
When sending a GET request with more than 256 slashes ("/"), then the server 
shows all files in the directory content. 
A hacker can see all hidden (non-HTML linked) files and directories on the 
server.
This work only on Windows platforms. On Linux platform, this request is 
handled, and return a 414 (Request-URI Too Large) error.


.oO  Solution Oo.
The vendor has been informed and has solved the problem.
Download Abyss Web Server 1.0.7  at :
http://www.aprelium.com/news/abws107tp.html


.oO  Discovered by Oo.
Arnaud Jacques aka scrap
webmasterat_private
http://www.securiteinfo.com

Next message: kokane: "KDE 2/3 artsd 1.0.0 local root exploit"
Previous message: John Korsak: "Hoax Exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 29 2002 - 12:04:58 PDT