Vulnerability in AOLserver


AOLserver v3.2 is a web server available from
A vulnerability exists which allows a remote user user to break out of the
web root using relative paths (ie: '...').


AOLServer checks the requested virtual path for any double dots ('..'),
and returns a 'Not Found' error page if any are present.  However, it
does not check for triple dots ('...').  Here is an example URL:

        http://localhost:8000/.../[file outside web root]

Note that this vulnerability has only been tested on the latest stable
release (v3.2) for the Win32 platform.


No quick fix is possible.

    Vendor Status

America Online, Inc. was contacted via
on Tuesday, January 30, 2001.  No reply was received.

      - Joe Testa  ( e-mail: [EMAIL PROTECTED] / AIM: LordSpankatron

Reply via email to