0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

uhttp Server Path Traversal Vulnerability

Author

Salvatore Fresta

Risk

[

Security Risk Unsored

]

0day-ID

Category

Date add

Platform

=========================================
uhttp Server Path Traversal Vulnerability
=========================================


uhttp Server Path Traversal Vulnerability
 
 Name              uhttp Server
 Vendor            http://uhttps.sourceforge.net
 Versions Affected 0.1.0-alpha
 
 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-03-10
 
X. INDEX
 
 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 VI.   DISCLOSURE TIMELINE
  
 
I. ABOUT THE APPLICATION
 
An ultra lightweight webserver with  a very  small  memory
usage.
 
 
II. DESCRIPTION
 
Bad chars are not properly sanitised.
 
 
III. ANALYSIS
 
Summary:
 
 A) Path Traversal
 
A) Path Traversal
 
The problem is in the management of the bad chars that can
be  used  to  launch  some attacks,  such as the directory
traversal.
The path traversal sequence ('../') is not checked, so  it
can be used for seeking the  directories  of the  affected
system.
 
 
IV. SAMPLE CODE
 
The following is a simple example:
 
GET /../../../../../../etc/passwd HTTP/1.1
 
In this example, the daemon has been started in the follows
path: /home/drosophila/downloads/uhttps/src
 
 
V. FIX
 
No patch.
 
 
VIII. DISCLOSURE TIMELINE
 
2010-03-10 Bug discovered
2009-03-10 Advisory Release




#  0day.today [2024-06-03]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

uhttp Server Path Traversal Vulnerability

Report Error

Report Error