Abyss Web Server Multiple slash Arbitrary Directory Listing
Remote / Network Access
Loss of Confidentiality
Abyss Web Server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker uses a specially crafted GET request, which will disclose file information outside the server directory resulting in a loss of confidentiality.
Upgrade to version 1.0.7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
Discovery credited to Securiteinfo.com <email@example.com>.
Aprelium Technologies Abyss Web Server 1.0.3
A vulnerability has been reported for Abyss Web Server 1.0.3 running on a Microsoft Windows platform. It is possible for an attacker to make a request such that the contents of the web server root directory are revealed.
The vulnerability occurs due to the manner in which excessive '/' characters are handled in web requests. When a malformed GET command is received by Abyss Web Server, it will return an error page containing the directory listing of the specified directory.
This issue may be exploited with a web browser.
The vendor has released a newer version of the software: