13 lines
No EOL
840 B
Text
13 lines
No EOL
840 B
Text
source: https://www.securityfocus.com/bid/10026/info
|
|
|
|
A vulnerability has been reported in the ImgSvr server software that may allow a remote user to the disclose root directory listings. This issue has also been reported to allow for listing of directories that reside outside the server root as well.
|
|
|
|
An attacker may leverage this issue to gain access to sensitive information by disclosing directory listings; information disclosed in this way could lead to further attacks against the target system.
|
|
|
|
For listing directories inside the server root (provided by Donato Ferrante):
|
|
http://www.example.org:1234/%00/
|
|
http://www.example.org:1234/someDirectory%00/
|
|
http://www.example.org:1234/someDirectory/%00/
|
|
|
|
For listing directories outside of the server root (provided by Dr_insane):
|
|
http://www.example.com:1234/%2f%2e%2e%2f%2f%2e%2e%2f/ |