[原文]AnalogX SimpleServer:WWW 1.06 and earlier allows remote attackers to read arbitrary files via a modified .. (dot dot) attack that uses the %2E URL encoding for the dots.
source: http://www.securityfocus.com/bid/1508/info
Requesting a specially formed url containing encoding (%2E) to SimpleServer 1.06 and possibley earlier versions, will enable a remote user to gain read access to known files above the SimpleServer directory.
http://target/%2E%2E/filename
AnalogX SimpleServer:WWW contains a flaw that allows a remote attacker to view arbitrary files. The issue is due to the server not sanitizing URI requests. By using a combination of %2E encoding and/or "../../" traversal attacks, the remote attacker can view arbitrary files outside of the web root.
-
时间线
2000-07-26
Unknow
2000-07-26
Unknow
-
解决方案
Upgrade to version 1.07 or higher, as it has been reported to fix this
vulnerability. An upgrade is required as there are no known workarounds.