N/A

Sergey Lyubka Simple HTTPD (shttpd) 1.38 and earlier on Windows allows remote attackers to download arbitrary CGI programs or scripts via a URI with an appended (1) '+' character, (2) '.' character, (3) %2e sequence (hex-encoded dot), or (4) hex-encoded character greater than 0x7f. NOTE: the %20 vector is already covered by CVE-2007-3407.

N/A

N/A

Sergey Lyubka Simple HTTPD 目录遍历漏洞

SHTTPD是一款轻量级的简单易用的web服务器。 SHTTPD的实现上存在输入验证漏洞，远程攻击者可能利用此漏洞遍历服务器目录，读取文件。 如果在所请求的文件名中添加了"+"、"."、"%20"、"%2e"字符和任何大于0x7f的16进制字节的话，就可以导致浏览/下载服务器中的任意脚本和CGI。

N/A

N/A