AOLserver Directory Traversal Vulnerability

AOLserver is a multi-threaded Web server by America Online. AOLserver is designed for large-scale Web sites and supports Tcl scripting language.

AOLserver Versions 3.2 and prior contain a vulnerability that allows unauthorized remote users to gain read access to directories outside the root directory. Requesting a specially crafted URL composed of "../" sequences to a host running AOLserver will disclose an arbitrary directory.

Unauthorized remote users can exploit this vulnerability to gain read access to various files residing on the target machine. Successful exploitation of this vulnerability could lead to the disclosure of sensitive information which could be used to implement further attacks against the host.

Download AOLserver Version 3.4 from the AOLserver Web site.