OSVDB ID: 5544 Title: Acme.Serve URI Encoded Traversal Arbitrary File Access |
Info |
|
|
Dates |
||||
|
|
Description |
ACME Laboratories' Java class Acme.Serve.Serve contains a flaw that allows a remote attacker to traverse outside of the web path. The issue is due to the server not properly sanitizing user input, specifically crafted URI requests using multiple slahses (////). With such a request, an attacker can force the server to access arbitrary files or force a directory index listing. |
Classification |
Location:
Remote/Network Access Required
Attack Type: Information Disclosure, Input Manipulation Impact: Loss of Confidentiality Exploit: Exploit Available Disclosure: OSVDB Verified OSVDB: Web Related |
Solution |
The Acme.Serve.Serve embedded web server is used in a wide variety of products. Consult your vendor for mitigation information. Upgrade to version Cisco SecureACS for Unix 2.3.6.1 or higher, as it has been reported to fix this vulnerability. |
Products |
|
References |
|
Credit |
|
as19.org - AS19 Team