ImgSvr Server Software Directory Listing Vulnerability

vendor:

ImgSvr server software

by:

Donato Ferrante, Dr_insane

5.5

CVSS

MEDIUM

Directory Listing Vulnerability

548

CWE

Product Name: ImgSvr server software

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2004

ImgSvr Server Software Directory Listing Vulnerability

A vulnerability in the ImgSvr server software allows a remote user to disclose root directory listings and directories outside the server root. An attacker can leverage this vulnerability to gain access to sensitive information and potentially launch further attacks against the target system.

Mitigation:

Apply the latest security patches and updates for the ImgSvr server software. Restrict access to the server and directories to trusted users only. Regularly monitor and review directory listings for any unauthorized access.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/10026/info

A vulnerability has been reported in the ImgSvr server software that may allow a remote user to the disclose root directory listings. This issue has also been reported to allow for listing of directories that reside outside the server root as well.

An attacker may leverage this issue to gain access to sensitive information by disclosing directory listings; information disclosed in this way could lead to further attacks against the target system. 

For listing directories inside the server root (provided by Donato Ferrante):
http://www.example.org:1234/%00/
http://www.example.org:1234/someDirectory%00/
http://www.example.org:1234/someDirectory/%00/

For listing directories outside of the server root (provided by Dr_insane):
http://www.example.com:1234/%2f%2e%2e%2f%2f%2e%2e%2f/