COMMAND

    Alibaba (httpd)

SYSTEMS AFFECTED

    Alibaba 2.0

PROBLEM

    Arne Vidstrom found  following.  He  has found a  security hole in
    the  web  server  Alibaba  2.0  (the  latest  version  at  time of
    writing).  Other version were not tested.  Here's an example.   If
    you install it so the web root is located in  c:\alibaba\HtmlDocs\
    you can send an URL:

        http://www.server.se/../../winnt/file.txt

    and get the "file.txt" file. This works all over the disk  Alibaba
    is installed on.  If directory browsing isn't allowed you have  to
    know the pathname of the file you want.  If directory browsing  is
    allowed you can start at the disk root directory, but you have  to
    enter the directories  by hand when  browsing, because the  server
    will assume they are located in the web root, so if you just click
    around all you'll get is lots of 404's.

SOLUTION

    Next release should fix that.