Plain Old Webserver Firefox Extension Directory Traversal Vulnerability

Bugtraq ID:	22502
Class:	Input Validation Error
CVE:	CVE-2007-0872
Remote:	Yes
Local:	No
Published:	Sep 25 2006 12:00AM
Updated:	May 12 2015 07:34PM
Credit:	Stefano Di Paola <[email protected]> is credited with the discovery of this vulnerability.
Vulnerable:	Plain Old Webserver Plain Old Webserver 0.0.8 Plain Old Webserver Plain Old Webserver 0.0.7
Not Vulnerable:	Plain Old Webserver Plain Old Webserver 0.0.9

Plain Old Webserver Firefox Extension Directory Traversal Vulnerability

Plain Old Webserver is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting this issue may allow an attacker to access sensitive information that could aid in further attacks.

Version 0.0.7 is vulnerable; other versions may also be affected.

Plain Old Webserver Firefox Extension Directory Traversal Vulnerability

An attacker can exploit this issue via a web client.

The following proof-of-concept URI is available:

http://www.example.com/../../../../[file]

Plain Old Webserver Firefox Extension Directory Traversal Vulnerability

Solution:
The vendor has released version 0.0.9 to address this issue. Please see the references for more information.


Plain Old Webserver Plain Old Webserver 0.0.7

• Plain Old Webserver pow-0.0.9-fx.xpi
  http://releases.mozilla.org/pub/mozilla.org/extensions/pow/pow-0.0.9-f x.xpi

Plain Old Webserver Plain Old Webserver 0.0.8

• Plain Old Webserver pow-0.0.9-fx.xpi
  http://releases.mozilla.org/pub/mozilla.org/extensions/pow/pow-0.0.9-f x.xpi

Plain Old Webserver Firefox Extension Directory Traversal Vulnerability

References:

• Homepage (Plain Old Webserver)