Description
The default configuration of Serv-U 2.5d and earlier allows remote attackers to determine the real pathname of the server by requesting a URL for a directory or file that does not exist.
Affected products
- cat_soft / serv-u2.4 – 2.4
- cat_soft / serv-u2.5 – 2.5
- cat_soft / serv-u2.5a – 2.5a
- cat_soft / serv-u2.5b – 2.5b
- cat_soft / serv-u2.5c – 2.5c
- cat_soft / serv-u2.5d – 2.5d