MyServer远程目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1108174 漏洞类型 输入验证
发布时间 2004-09-15 更新时间 2006-01-24
CVE编号 CVE-2004-2516 CNNVD-ID CNNVD-200412-314
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/24600
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-314
|漏洞详情
myServer是一款WEB服务程序。myServer不正确过滤用户提交的URL数据,远程攻击者可以利用这个漏洞以进程权限查看系统文件内容。攻击者可以发送包含多个"/./"和"/../"之类的数据,可绕过WEBROOT限制,以进程权限查看系统文件内容。
|漏洞EXP
source: http://www.securityfocus.com/bid/11189/info

MyServer is reported prone to a remote directory traversal vulnerability. This issue presents itself due to insufficient sanitization of user-supplied data. This vulnerability results in improper access to potentially sensitive files located outside of the document root of the web server. 

MyServer version 0.7 is reportedly affected by this issue, however, other versions may be vulnerable as well.

"GET ././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././../../../../../../../../"
|参考资料

来源:BID
名称:11189
链接:http://www.securityfocus.com/bid/11189
来源:sourceforge.net
链接:http://sourceforge.net/project/shownotes.php?release_id=267444
来源:VULNWATCH
名称:20040915myServer0.7DirectoryTraversalVulnerability
链接:http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0052.html
来源:XF
名称:myserver-get-directory-traversal(17390)
链接:http://xforce.iss.net/xforce/xfdb/17390
来源:OSVDB
名称:10001
链接:http://www.osvdb.org/10001
来源:SECTRACK
名称:1011278
链接:http://securitytracker.com/id?1011278
来源:SECUNIA
名称:12561
链接:http://secunia.com/advisories/12561
来源:NSFOCUS
名称:6917
链接:http://www.nsfocus.net/vulndb/6917