Web root exposure in HSWeb Webserver

joetesta Sun, 04 Feb 2001 19:10:52 -0800

Web root exposure in HSWeb Webserver




    Overview

HSWeb v2.0 is a webserver available from http://www.jeffheaton.com and
http://www.download.com.  Any remote user can discover the physical path
of the web root if directory browsing is enabled.



    Details

If directory browsing is enabled, then going to the following URL:

        http://localhost/cgi/

will cause HSWeb to respond with:

        Directory listing of d:\hs\WWWRoot\cgi\

        Type   File Name          Size  Last Modified

        [DIR]  Parent Directory   -     Sun. 28 Jan 2001 10:38:08 GMT





    Solution

Turn off directory browsing.



    Vendor Status

The author of the program, Jeff Heaton, was notified via
<[EMAIL PROTECTED]> on Sunday, January 28, 2001.  No reply was received.



        - Joe Testa  ( [EMAIL PROTECTED] )

Web root exposure in HSWeb Webserver

Reply via email to