[原文]Directory traversal vulnerability in RobTex Viking Web server before 1.07-381 allows remote attackers to read arbitrary files via a hexadecimal encoded dot-dot attack (eg. http://www.server.com/%2e%2e/%2e%2e) in an HTTP URL request.
Viking Web Server Hexidecimal Encoded Arbitrary File Access
Remote / Network Access
Loss of Confidentiality
Viking Web Server contains a flaw that allows a remote attacker to request files outside of the web path. The issue is due to the program not properly sanitizing user input, specifically traversal style attacks (../../) can be accomplished by encoding the ../ using %2E%2E/.
Upgrade to version 1.0.7 B381 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Add 'Wild http:*%2e* x-viking:/na' to the config file.