漏洞类别:Web server漏洞等级: 
漏洞信息
If a request containing the null character (%00) or the space character (%20) is made to the Roxen WebServer, the server will return directory contents, as well as the source of unparsed scripts and HTML pages. For example, a request to http://www.server.com/%00 would return the contents of the server's document root directory.
Roxen WebServer Versions 2.0 to 2.0.69 are affected by this vulnerability; however, Version 2.0.64 is only vulnerable to the space character (%20) issue.
漏洞危害
If exploited, the contents of the Web server's document root directory could be disclosed.
解决方案
The recommended solution is to use the administration interface to update the server. Apply the 'Fix for "%00" vulnerability'.
Roxen has made the following patches available. Apply the appropriate patch to server/protocols/http.pike, and then restart the server so the fix can take effect.
Roxen WebServer Version 2.0.x Patch (Note: This patch can be applied as an alternative to using the administration interface and Roxen Update Server.):
ftp://ftp.roxen.com/pub/roxen/patches/roxen_2.0.50-http.pike.patch
Roxen WebServer Version 1.3.122 Patch (Note: Although Version 1.3.122 is not affected by this specific vulnerability, Roxen provided the patch to eliminate any further problems related to this issue.):
ftp://ftp.roxen.com/pub/roxen/patches/roxen_1.3.122-http.pike.patch
You can also upgrade to the latest version of Roxen WebServer, which can be downloaded from the Roxen Web site.
0day
文章评论