pWins Webserver URI Traversal Arbitrary File Access
Remote / Network Access
Loss of Confidentiality
Patch / RCS
pWins contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the URI. This directory traversal attack would allow the attacker to access arbitrary files.
Currently, there are no known workarounds or upgrades to correct this issue. However, the author has released a patch to address this vulnerability.