Shay priel has reported a vulnerability in SHTTPD, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an error within the handling of HTTP requests and can be exploited to disclose the source code of certain scripts (e.g. PHP) by appending e.g. "%20" to an URI. The vulnerability is reported in version 1.38. Other versions may also be affected.
setting status and cc'ing herd.
from http://sourceforge.net/mailarchive/forum.php?thread_name=72c3a9570706292333s57be3b44x8cca9849e37561c6%40mail.gmail.com&forum_name=shttpd-general > I have tried on my UNIX stations here, shttpd shows 404 error, > as it should be. May be it is windows-specific ? > Unfortunately I do not have any Windows atm to play.
tried it with 1.38 and 1.35, the PoC doesn't work and it serves 404 as expected. closing as invalid. feel free to reopen if this PoC actually works for you on a Gentoo platform.
