Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Servers :: smplsrvr.htm

Simple Server retrieve arbitrary files



Vulnerability

    Simple Server

Affected

    Simple Server

Description

    'slipy' found  following.   The Simple  Server is  a User-Friendly
    Web Server that  handles HTTP requests.   It is Windows  based and
    extremely  convenient  to  configure  and  is  coded  in Java.  It
    requires the  Java Runtime  Environment package  in order  for the
    program to be able to execute.  Please note this program isn't the
    same as AnalogX's  "Simple Server".   This program was  originally
    called Free Java Server but has sense been changed to "The  Simple
    Server".

    Adding the string "/../" to an URL allows an attacker to view  any
    file on the server provided you  know where the file is at  in the
    first place.

    Examples:

        http://www.VULNERABLE.com/../../../../Scandisk.log

    The ../'s depend on where the httpd is installed and what file you
    are attempting to view.

Solution

    Vendor has been contacted. Waiting for a reply.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH