Vulnerability in SEDUM HTTP Server


SEDUM HTTP Server v2.0 is a web server available from and  A vulnerability exists
which allows a remote user to break out of the web root using relative
paths (ie: '..', '...').


        http://localhost/../[file outside web root]
        http://localhost/.../[file outside web root]


No quick fix is possible.

    Vendor Status

    The author, Guido Frassetto, was contacted via <[EMAIL PROTECTED]>
and <[EMAIL PROTECTED]> on Sunday, January 28, 2001 regarding version 1.1 of
SEDUM.  He replied promptly and stated that version 2.0 is immune to this
problem.   I downloaded the new version, ran more tests, and found that
absolutely nothing is different.  Since then, I have not heard back from
Guido Frassetto.

        - Joe Testa  ( [EMAIL PROTECTED] )

Reply via email to