From: [EMAIL PROTECTED]
Date: Tue, 6 Feb 2001 02:31:40 -0800
. . .
AOLserver v3.2 is a web server available from http://www.aolserver.com.
A vulnerability exists which allows a remote user user to break out of the
web root using relative paths (ie: '...').
Details
AOLServer checks the requested virtual path for any double dots ('..'),
and returns a 'Not Found' error page if any are present. However, it
does not check for triple dots ('...'). Here is an example URL:
http://localhost:8000/.../[file outside web root]
Note that this vulnerability has only been tested on the latest stable
release (v3.2) for the Win32 platform.
. . .
AOLserver v3.2 on Linux (RH 6.0) does not appear to be vulnerable.
OS-dependent code?
-- Bob Rogers
