thttpd Double Slash Request Arbitrary File Access

This script is Copyright (C) 1999-2013 Tenable Network Security, Inc.


Synopsis :

It is possible to use the remote web server to read arbitrary files on the
remote system.

Description :

The remote HTTP server allows an attacker to read arbitrary files
on the remote host with the privileges of the web server, simply by
adding a slash in front of its name.

For instance, 'GET //etc/passwd' will return the contents of the
remote file '/etc/passwd'.

Solution :

Upgrade your web server or change it.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Family: Web Servers

Nessus Plugin ID: 10286 ()

Bugtraq ID:

CVE ID: CVE-1999-1456