Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Date: Fri Feb 16 2001 - 13:20:58 CST
ITAfrica's WEBactive HTTP Server 1.00 is an
HTTP/1.00-compliant World Wide Web server
daemon for Windows 95 or Windows NT, specifically
designed for the SOHO (Small Office/Home)
environment. It will operate on any TCP/IP
connection to the Internet, whether via temporary dial-
up or permanent leased-line connectivity.
The Vendors website is:
Download Package at:
Problem: Simple Directory Traversal
Adding the string "/../" to an URL allows an attacker to
view any file on the server provided you know where
the file is at in the first place. Only Win9x & NT are
^^ = Will obviously open the scandisk.log file.
Note: The ../'s depend on where the httpd is installed
and what file you are attempting to view. I was
debating to publish this hole or not because it apears
the company is no longer in service and wasn't a very
popular httpd in the first place but, c0nefnet talked
me into it despite my objection.
Vendor would have been contacted if I could have
found their email. In the mean time switch to a
different httpd program to host your home page off of
your Microsoft (c) operating system. (or switch to a
b10z cgi advisory.
February 16th, 2001.