on cygwin environment, any files can be retrieved by malicious users. Apache 1.3.29 and 2.0.48 (source compile version) vulnerability http://[server]/..%5C..%5C..%5C..%5C..%5C..%5C/boot.ini cf. http://cert.uni-stuttgart.de/archive/bugtraq/2002/08/msg00241.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0661
Can anyone on cgywin verify this issue? This should likely goto security@ if it is a real issue!
Bug 26152 (Apache 1.3.29) has been fixed by Stipe Tolj. http://issues.apache.org/bugzilla/show_bug.cgi?id=26152 Bug 26153 is not yet fixed. http://issues.apache.org/bugzilla/show_bug.cgi?id=26153
According to the ChangeLog, CAN-2002-0661 this was fixed in the 2.0.40 release.
It is similar to CAN-2002-0661, but new bug of Apache (2.0.48 and below on Cygwin). look at the difference between CAN-2002-0661 and this (%2e). <CAN-2002-0661 attack signature> http://[server]/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini <this bug attack signature> http://[server]/..%5C..%5C..%5C..%5C..%5C..%5C/boot.ini I've tested this on Apache 2.0.48 (cygwin), and it did work. I guess CAN-2002-0661 patch didn't applied to Cygwin portion.