Skip to main content

New Exploit in AOLserver

posted onFebruary 7, 2001
by hitbsecnews

Posted to BugTraq by joetesta@hushmail.com

Overview

AOLserver v3.2 is a web server available from http://www.aolserver.com.
A vulnerability exists which allows a remote user user to break out of the
web root using relative paths (ie: '...').

Details...

AOLServer checks the requested virtual path for any double dots ('..'),
and returns a 'Not Found' error page if any are present. However, it
does not check for triple dots ('...'). Here is an example URL:

http://localhost:8000/.../[file outside web root]

Note that this vulnerability has only been tested on the latest stable
release (v3.2) for the Win32 platform.

Solution

No quick fix is possible.

Vendor Status

America Online, Inc. was contacted via http://www.aolserver.com/feedback/
on Tuesday, January 30, 2001. No reply was received.

- Joe Testa ( e-mail: joetesta@hushmail.com / AIM: LordSpankatron
)

Source

Tags

Audio/Video

You May Also Like

Recent News

Friday, November 29th

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th

Simplenews subscription

Stay informed - subscribe to our newsletter.
The subscriber's email address.
Keeping Knowledge Free for Over a Decade

Copyright © 2018 Hack In The Box. All rights reserved.

36th Floor, Menara Maxis, Kuala Lumpur City Centre 50088 Kuala Lumpur Malaysia
Tel: +603-2615-7299 Fax: +603-2615-0088