CVE-2008-0338

MiniWeb HTTP Server 0.8.19 - Path Traversal via Partially Encoded Dot Dot Sequences

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-0338. PoCs published by Hamid Ebadi.

AI-analyzed exploit summary The document describes two vulnerabilities in MiniWeb 0.8.19: a directory traversal flaw in mwGetLocalFileName() and a heap-based buffer overflow in _mwProcessReadSocket(). It includes proof-of-concept examples for both issues but does not provide functional exploit code.

Description

Directory traversal vulnerability in the mwGetLocalFileName function in http.c in MiniWeb HTTP Server 0.8.19 allows remote attackers to read arbitrary files and list arbitrary directories via a (1) .%2e (partially encoded dot dot) or (2) %2e%2e (encoded dot dot) in the URI.

Exploits (1)

exploitdb WRITEUP VERIFIED

by Hamid Ebadi · textremotewindows

https://www.exploit-db.com/exploits/4923

View Code ZIP pw:eip

The document describes two vulnerabilities in MiniWeb 0.8.19: a directory traversal flaw in mwGetLocalFileName() and a heap-based buffer overflow in _mwProcessReadSocket(). It includes proof-of-concept examples for both issues but does not provide functional exploit code.

Classification

Writeup 90%

Attack Type

Info Leak | Rce

Complexity

Moderate

Reliability

Theoretical

Target: MiniWeb 0.8.19

No auth needed

Prerequisites: Network access to the MiniWeb server

MITRE ATT&CK