thttpd Double Slash Request Arbitrary File Access

This script is Copyright (C) 1999-2015 Tenable Network Security, Inc.

Synopsis :

It is possible to use the remote web server to read arbitrary files on the
remote system.

Description :

The remote HTTP server allows an attacker to read arbitrary files
on the remote host with the privileges of the web server, simply by
adding a slash in front of its name.

For instance, 'GET //etc/passwd' will return the contents of the
remote file '/etc/passwd'.

Solution :

Upgrade your web server or change it.

Risk factor :

Medium / CVSS Base Score : 5.0

Family: Web Servers

Nessus Plugin ID: 10286 ()

Bugtraq ID:

CVE ID: CVE-1999-1456