".."-hole in Alibaba 2.0

- ".."-hole in Alibaba 2.0 -

There is a hole in the web server Alibaba 2.0. Here's an example:

If you install it so the web root is located in c:\alibaba\HtmlDocs\ and there is a file c:\winnt\file.txt you can send an URL:

http:\\www.server.se\..\..\winnt\file.txt

and get the "file.txt" file. This works all over the disk Alibaba is installed on. If directory browsing isn't allowed you have to know the pathname of the file you want. If directory browsing is allowed you can start at the disk root directory, but you have to enter the directories by hand when browsing, because the server will assume they are located in the web root, so if you just click around all you'll get is lots of 404's.

[Home] [Security Advisories] [The Toolbox] [The Trashcan]