Cherokee Web Server URI Traversal Arbitrary File Access
Medium Nessus Plugin ID 15621
SynopsisThe remote web server is affected by an information disclosure vulnerability.
DescriptionThe remote host is running Cherokee - a fast and tiny web server.
The remote version of this software is vulnerable to directory traversal flaw when appending a '../' sequence to the web request.
Additionally, this version fails to drop root privileges after it binds to listen port.
Remote attacker can then submit specially crafted web request to browse any file on the server with root privileges.
SolutionUpgrade to Cherokee 0.2.8 or newer as this reportedly fixes the issue.