漏洞类别:Web server漏洞等级: 
漏洞信息
Acme THTTPd HTTP server includes a CGI program external to thttpd called "ssi". This program provides the functionality of the built-in server-side-includes feature in some HTTP daemons.
The names of files to be filtered through the ssi script are passed to ssi via the PATH_TRANSLATED environment variable. Certain escape sequences are not properly filtered by ssi, allowing the possibility for a malicious user to bypass filtering by submitting URLs containing hex-escaped ".." sequences.
漏洞危害
If this vulnerability is successfully exploited, then a remote malicious user can view arbitrary files in known locations anywhere on the Web server.
解决方案
Acme Software released THTTPd Version 2.20, which is available for download from Acme's THTTPd Download Web page.
0day
文章评论