Date:         Tue, 6 Feb 2001 02:31:40 -0800

   . . .
   AOLserver v3.2 is a web server available from
   A vulnerability exists which allows a remote user user to break out of the
   web root using relative paths (ie: '...').


   AOLServer checks the requested virtual path for any double dots ('..'),
   and returns a 'Not Found' error page if any are present.  However, it
   does not check for triple dots ('...').  Here is an example URL:

           http://localhost:8000/.../[file outside web root]

   Note that this vulnerability has only been tested on the latest stable
   release (v3.2) for the Win32 platform.
   . . .

AOLserver v3.2 on Linux (RH 6.0) does not appear to be vulnerable.
OS-dependent code?

                                        -- Bob Rogers

Reply via email to