COMMAND

    Savant WWW

SYSTEMS AFFECTED

    Savant WWW Unicode version 2.1

PROBLEM

    Following is based  on a Hexyn/Securax  Advisory #18.   Savant WWW
    Server is an HTTP server for Windows 9x/NT.  A bug allows any user
    to change  to any  directory, and  in most  cases, execute  MS-DOS
    commands.

    Savant filters "/.." out of the string, but forgets "%2f..".

        http://www.testserver.com/%2f..%2f..%2f../

        HTTP Directory of //../../../
        <directory listing of c:\>

    - When the user does  not know a directory which  allows listings,
      one  cannot  get  a  listing,  but  one  can still download know
      files.
    - When the user know  a directory which allows CGI-execution,  one
      can execute MS-DOS commands using:

        http://www.test_server.com/cgi-bin/%2f..%2f..%2f../cmd.exe?+/c+dir

    Bug discovered by t-Omicr0n.

SOLUTION

    At this time, no patch is available yet.