PWebServer Remote Directory Traversal Vulnerability

Bugtraq ID:	9817
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Mar 08 2004 12:00AM
Updated:	Mar 08 2004 12:00AM
Credit:	Disclosure of this issue is credited to Donato Ferrante <[email protected]>.
Vulnerable:	PWebServer Web Server 0.3.3 PWebServer Web Server 0.3.2 PWebServer Web Server 0.3 .0
Not Vulnerable:	PWebServer Web Server 0.3.4

PWebServer Remote Directory Traversal Vulnerability

It has been reported that PWebServer is prone to a remote directory traversal vulnerability. This issue is due to a failure of the server process to properly filter user supplied URI requests.

Information acquired by exploiting this issue may be used to aid further attacks against a vulnerable system.

PWebServer Remote Directory Traversal Vulnerability

No exploit is required to leverage this issue. The following proof of concept has been provided:

http://www.example.com:6789/../someFile
http://www.example.com:6789/../../../../etc/passwd

PWebServer Remote Directory Traversal Vulnerability

Solution:
The vendor has released an upgrade that deals with this issue.


PWebServer Web Server 0.3 .0

• PWebServer pwebserver-0.3.4.tgz
  http://prdownloads.sourceforge.net/pwebserver/pwebserver-0.3.4.tgz

PWebServer Web Server 0.3.2

• PWebServer pwebserver-0.3.4.tgz
  http://prdownloads.sourceforge.net/pwebserver/pwebserver-0.3.4.tgz

PWebServer Web Server 0.3.3

• PWebServer pwebserver-0.3.4.tgz
  http://prdownloads.sourceforge.net/pwebserver/pwebserver-0.3.4.tgz

PWebServer Remote Directory Traversal Vulnerability

References:

• Product Home Page (PWebServer)
  
• directory traversal in PWebServer 0.3.3 ("Donato Ferrante" )