COMMAND

    Simple Server

SYSTEMS AFFECTED

    Simple Server

PROBLEM

    'slipy' found  following.   The Simple  Server is  a User-Friendly
    Web Server that  handles HTTP requests.   It is Windows  based and
    extremely  convenient  to  configure  and  is  coded  in Java.  It
    requires the  Java Runtime  Environment package  in order  for the
    program to be able to execute.  Please note this program isn't the
    same as AnalogX's  "Simple Server".   This program was  originally
    called Free Java Server but has sense been changed to "The  Simple
    Server".

    Adding the string "/../" to an URL allows an attacker to view  any
    file on the server provided you  know where the file is at  in the
    first place.

    Examples:

        http://www.VULNERABLE.com/../../../../Scandisk.log

    The ../'s depend on where the httpd is installed and what file you
    are attempting to view.

SOLUTION

    Vendor has been contacted. Waiting for a reply.