Heat-On HSWeb Web Server Path Disclosure Vulnerability

HSWeb is a Web server offered by Heat-On Software.

HSWeb contains a path disclosure vulnerability, which makes it possible for unauthorized remote users to obtain the physical path to the Web root and browse the entire directory listing by requesting a specially crafted URL.

Note: Directory browsing must be enabled for this vulnerability to be exploited.

By exploiting this vulnerability, unauthorized users can gain access to sensitive information, which can be used to implement further attacks against the host.

The vendor is no longer supporting the application.

As a workaround, disable directory browsing.