Abyss Web Server 1.0.3版本存在目录遍历漏洞。远程攻击者借助HTTP GET请求的..\ (点 点 反斜杠)序列读取任意文件。
The vendor has released a patch for this issue. Users are advised to apply the patch or download a newer version of Abyss Web Server 1.0.3 with patches already applied: Aprelium Technologies Abyss Web Server 1.0
A directory traversal vulnerability has been reported for Abyss Web Server. The issue is related to the failure to properly process the backslash '\', encoded as '%5c', character, which may be used as a directory delimiter under these platforms. By using the URL encoded sequence '%2e%2e%5c', the web root may be escaped.
Exploitation can result in arbitrary system files being sent to a remote attacker. This information may be of value in attempting further attacks against the vulnerable system.
This issue is reported to have different effects in a different environments.
"GET /\..\..\..\..\..\winnt\win.ini HTTP/1.0" (using a Telnet client)
Abyss Webserver contains a flaw that allows a remote attacker to read arbitrary files or directory listings outside of the web path. The issue is due to the server not properly sanitizing user input, specifically encoded traversal style attacks (../../) supplied via the URI.
Upgrade to version 220.127.116.11 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.