CVE-2014-9707

EmbedThis GoAhead <3.4.1 - Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-9707. PoCs published by Matthew Daley, including Metasploit module auxiliary/scanner/http/goahead_traversal.

AI-analyzed exploit summary This Metasploit module exploits a directory traversal vulnerability in Embedthis GoAhead Web Server v3.4.1, allowing arbitrary file reads via crafted HTTP GET requests. It uses a traversal payload to escape the web root and fetch sensitive files like /etc/passwd.

Description

EmbedThis GoAhead 3.0.0 through 3.4.1 does not properly handle path segments starting with a . (dot), which allows remote attackers to conduct directory traversal attacks, cause a denial of service (heap-based buffer overflow and crash), or possibly execute arbitrary code via a crafted URI.

Exploits (1)

metasploit WORKING POC

by Matthew Daley · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/goahead_traversal.rb

View Code ZIP pw:eip

This Metasploit module exploits a directory traversal vulnerability in Embedthis GoAhead Web Server v3.4.1, allowing arbitrary file reads via crafted HTTP GET requests. It uses a traversal payload to escape the web root and fetch sensitive files like /etc/passwd.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Embedthis GoAhead Web Server v3.4.1

No auth needed

Prerequisites: Network access to the target web server

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Issue Tracking x_refsource_confirm

https://github.com/embedthis/goahead/issues/106

Exploit mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2015/Mar/157

Patch x_refsource_confirm

https://github.com/embedthis/goahead/commit/eed4a7d177bf94a54c7b06ccce88507fbd76fb77

Exploit x_refsource_misc

http://packetstormsecurity.com/files/131156/GoAhead-3.4.1-Heap-Overflow-Traversal.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1032208

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/535027/100/0/threaded

Scores

EPSS 0.2842

EPSS Percentile 97.9%

Details

CWE

CWE-17

Status published

Products (8)

embedthis/goahead 3.0.0

embedthis/goahead 3.3.1

embedthis/goahead 3.3.2

embedthis/goahead 3.3.3

embedthis/goahead 3.3.4

embedthis/goahead 3.3.5

embedthis/goahead 3.3.6

embedthis/goahead 3.4.0

Published Mar 31, 2015

Tracked Since Feb 18, 2026