T. Hauck Jana Server 1.45/1.46 - Hex Encoded Directory Traversal

Author: neme-dhc
type: remote
platform: windows
port: 
date_added: 2001-05-07  
date_updated: 2012-08-26  
verified: 1  
codes: CVE-2001-0557;OSVDB-5779  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 20829.txt  

source: https://www.securityfocus.com/bid/2703/info

It is possible for a remote user to traverse the directories of a host running Jana Server. Submitting a specially crafted URL using hex encoded 'double dot' sequences will reveal arbitrary directories. In addition to revealing directories, this vulnerability could enable a user to obtain the contents of files readable by the webserver user.

www.example.com/%2e%2e/%2e%2e/

www.example.com/%2e%2e/%2e%2e/filename