Vulnerability in SEDUM HTTP Server

joetesta Sun, 04 Feb 2001 20:36:25 -0800

Vulnerability in SEDUM HTTP Server



    Overview

SEDUM HTTP Server v2.0 is a web server available from
http://www.frassetto.it and http://www.zdnet.com.  A vulnerability exists
which allows a remote user to break out of the web root using relative
paths (ie: '..', '...').



    Details

        http://localhost/../[file outside web root]
        http://localhost/.../[file outside web root]



    Solution

No quick fix is possible.



    Vendor Status

    The author, Guido Frassetto, was contacted via <[EMAIL PROTECTED]>
and <[EMAIL PROTECTED]> on Sunday, January 28, 2001 regarding version 1.1 of
SEDUM.  He replied promptly and stated that version 2.0 is immune to this
problem.   I downloaded the new version, ran more tests, and found that
absolutely nothing is different.  Since then, I have not heard back from
Guido Frassetto.



        - Joe Testa  ( [EMAIL PROTECTED] )

Vulnerability in SEDUM HTTP Server

Reply via email to