Cherokee Web Server URI Traversal Arbitrary File Access

Medium Nessus Plugin ID 15621


The remote web server is affected by an information disclosure vulnerability.


The remote host is running Cherokee - a fast and tiny web server.

The remote version of this software is vulnerable to directory traversal flaw when appending a '../' sequence to the web request.

Additionally, this version fails to drop root privileges after it binds to listen port.

Remote attacker can then submit specially crafted web request to browse any file on the server with root privileges.


Upgrade to Cherokee 0.2.8 or newer as this reportedly fixes the issue.

See Also

Plugin Details

Severity: Medium

ID: 15621

File Name: cherokee_dir_traversal.nasl

Version: $Revision: 1.16 $

Type: remote

Family: Web Servers

Published: 2004/11/04

Modified: 2016/10/07

Dependencies: 10107, 17975

Risk Information

Risk Factor: Medium


Base Score: 5

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Temporal Vector: CVSS2#E:ND/RL:U/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: No exploit is required

Vulnerability Publication Date: 2001/12/30

Reference Information

CVE: CVE-2001-1432

BID: 3772

OSVDB: 16980

CWE: 22