CVE
- Id
- 3776
- CVE No.
- CVE-2001-0971
- Status
- Candidate
- Description
- Directory traversal vulnerability in ACI 4d webserver allows remote attackers to read arbitrary files via a .. (dot dot) or drive letter (e.g., C:) in an HTTP request.
- Phase
- Modified (20020313-01)
- Votes
- ACCEPT(1) Green | MODIFY(1) Frech | NOOP(4) Armstrong, Cole, Foat, Wall | REJECT(1) Christey
- Comments
- Christey> According to an email message from the vendor | (bcoveney@4d.com) on March 13, 2002, this problem is only | possible if the server admin has already configured the | server"s web root to be at the top-level folder. This is not | the default. As such, any "directory traversal" attack would | not escape above the folder that has already been specified by | the admin. Since this is a generic misconfiguration problem | for all web servers, and not a default configuration of ACI | 4D, then this candidate should not be included in CVE. | | The quote from the vendor is: "By default the 4D WebServer | doesn"t have this behavior. A property has to be turned on to allow | this (despite our warnings of the consequences). We don"t allow pages | outside of our web folder to be served but if the developer of the | site wishes they can set the webroot folder to be whatever they | want. In the system that "krfinisterre@checkfree.com" evaluated the | developer had chosen to set their root folder to be the root of the | computer system (C:) and therefore all the files on the system were | available. By default we set the root folder at the same level as the | database folder so this doesn"t happen. You cannot look at any files | outside the designated WebFolder root tree." | Frech> XF:4d-webserver-directory-traversal(7010)
