Acme.Serve 1.7 - Arbitrary File Access Vulnerability

EDB-ID: 20894 CVE: 2001-0748 OSVDB-ID: 5544
Verified: Author: Adnan Rahman Published: 2001-05-31
Download Exploit: Source Raw Download Vulnerable App: N/A

Acme.Serve is a free, open-source, embeddable webserver written in Java. It is small, is intended to provide minimal functionality, and is fully compatible with JavaServer.

Acme.Serve 1.7 comes with a webserver that listens on port 9090. This webserver allows clients to browse the filesystem. By default, this webserver is enabled and accessible by any remote host on the Internet.

If an attacker were to connect, they could view possibly sensitive information.

http://potentialvictim:9090//etc/shadow to view '/etc/shadow'.