Web root exposure in HSWeb Webserver


HSWeb v2.0 is a webserver available from http://www.jeffheaton.com and
http://www.download.com.  Any remote user can discover the physical path
of the web root if directory browsing is enabled.


If directory browsing is enabled, then going to the following URL:


will cause HSWeb to respond with:

        Directory listing of d:\hs\WWWRoot\cgi\

        Type   File Name          Size  Last Modified

        [DIR]  Parent Directory   -     Sun. 28 Jan 2001 10:38:08 GMT


Turn off directory browsing.

    Vendor Status

The author of the program, Jeff Heaton, was notified via
<[EMAIL PROTECTED]> on Sunday, January 28, 2001.  No reply was received.

        - Joe Testa  ( [EMAIL PROTECTED] )

Reply via email to