Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Servers :: analog5.htm

AnalogX SimpleServer:WWW 1.06 (and possibly previous versions) Directory traversal vulnerability EX



    SimpleServer:WWW 1.06 (and possibly previous versions)


    Following  is  based  on  a  Foundstone  by  Robin Keir and Stuart
    McClure.  AnalogX SimpleServer:WWW  is a simple but  effective web
    server designed  for the  home or  small business  user.  Its main
    claim is ease of use and setup.

    SimpleServer is vulnerable to  a "relative directory path"  attack
    that allows  a remote  user to  retrieve any  known file  from the
    file system of the  server on which it  is hosted.  In  normal use
    SimpleServer protects against accessing files above the  directory
    in which the server is installed.  It has been proven to correctly
    deny access when using URLs of the following format:

    However, by substituting the dot characters with their  equivalent
    hexadecimal URL encoded format of %2E this restriction is removed,
    giving the  attacker full  read access  to any  file on the remote

    A HTTP request of the form

    will succeed in retrieving the file "file.dat" from one  directory
    level above the server root directory if it exists.  Using similar
    URL requests it has been shown  that any known file on the  system
    can be retrieved.  For example, assuming the default  installation
    location of SimpleServer a request of the form:

    would retrieve the remote users registry file from a Windows 95/98
    machine  and  this  would   highly  likely  contain   confidential

    Another example  here shows  that it  is possible  to retrieve the
    log files from the web server directory itself:


    Download SimpleServer:www version 1.07 from

    Prelimiary  tests  of  the  fix  by  Foundstone have confirmed the
    problem is corrected.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH