Robin Twombly A1 HTTP Server Directory Traversal Vulnerability

Robin Twombly's A1 Web server is a light-weight Web server designed specifically for Windows environments.

A remote user could gain read access to directories outside the Web root by requesting a specially crafted URL composed of '../' sequences to a host running A1 server. This results in the disclosure of arbitrary directories. This vulnerability could enable an attacker to gain read access to various known files residing on the target machine.

Successful exploitation of this vulnerability could lead to the disclosure of sensitive information, which could possibly assist in further attacks against the host.

We advice to change your Web server since A1 HTTP Server is discontinued.