COMMAND

    Offline Explorer

SYSTEMS AFFECTED

    Offline Explorer 1.0...1.2

PROBLEM

    Following  was  found  by  Wyzewun  and  publicized  in  Forbidden
    Knowledge Ezine 9  on May 19,  2000.  By  default Offline Explorer
    listens on port  800 on which  a remote user  can gain read-access
    to a remote host's web cache and from there directory traverse.

    Performing a GET request containing "../..\" will allow the remote
    user to browse the cache and the upper directory structure.

    The download directory is accessible via the internal Web  server.
    It is the only  accessible area.  However,  in versions 1.0 -  1.2
    if a URL http://127.0.0.1:800/./../../ is entered, it is  possible
    to get to a directory outside the download directory.

    Exploit sample:

        GET ../..\ HTTP/1.1
        HTTP/1.0 200 OK
        Server: Web Downloader 4.1 (Win32)
        Content-Type: text/html
        Content-Length: 5048

SOLUTION

    This problem was fixed in OE 1.3 Beta 1 version, and therefore  in
    all later versions as  well.  You can  no longer access any  areas
    outside the download directory.   The best workaround, of  course,
    would be to download latest version.