[原文]Directory traversal vulnerability in Faust Informatics Freestyle Chat server prior to 4.1 SR3 allows a remote attacker to read arbitrary files via a specially crafted URL which includes variations of a '..' (dot dot) attack such as '...' or '....'.
Freestyle Chat server from Faust Informatics incorporates interactive chat functionality into websites.
Versions of Freestyle Chat are vulnerable to directory traversal attacks. This can allow a remote user to request files from outside the normal webserver directory scope.
Properly exploited, this could provide information useful in further attacks on the vulnerable host.
Freestyle Chat Server Traversal Arbitrary File Access
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
Freestyle Chat Server contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the server not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the URI.
Upgrade to version 4.1 SR3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.