Luigi Auriemma has identified multiple vulnerabilities in WWW File Share Pro, allowing malicious people to bypass restrictions or cause a Denial of Service.
1) It is possible to upload files to arbitrary locations using the default upload feature. The problem is that the upload function fails to identify file names with the "../" character sequence. Any file, which is writable by the web server process, can be overwritten.
2) It is possible to cause the server process to consume 100% CPU resources or possibly freeze the entire system by sending HTTP POST requests larger than 2 MB.
3) The directory password protection mechanism can be bypassed by pre- or suffixing the directory name with different characters such as "\", "." and "//". This allows malicious people to access the contents of directories without the use of an username and password.
The vulnerabilities affect versions prior to 2.46.
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to email@example.com
Subject: WWW File Share Pro Multiple Vulnerabilities
No posts yet
You must be logged in to post a comment.
Secunia Customer Login
Not a customer already?
Learn more about how our market leading Vulnerability Management solutions can help you manage risk and ensure compliance.