Cherokee contains a directory traversal vulnerability caused by failure to filter '../' character sequences.
Cherokee is a compact, open-source web server. Cherokee does not filter '../' sequences from HTTP requests. As a result, it is possible for a remote attacker to request and read files outside the Cherokee HTTP root directory.
Attackers may read any file on the filesystem that is readable by the Cherokee process, which may be running as root.
The CERT/CC is currently unaware of a practical solution to this problem.
Thanks to GOBBLES Security Advisory for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
|Date First Published:||2002-09-24|
|Date Last Updated:||2002-09-24 17:18 UTC|