2 weeks ago, I got a new tool – HttpWatch. It is a very handy tools to investigate the traffic flow between your machine and the web server. Previously I’m using Fidller to such job when I give a try to HttpWatch, it is definitely lovely. If you are using Firefox, there is a equivalent tools known as Firebug.
The interesting when I discover over the Lowyat.net page is there might be a potential Path Traversal vulnerability.
There is a specific URL that allow the webpage to download the flash (SWF file) advertisement. The way they pass in the flash file is through query string
It can potentially lead to a path traversal attack. In general, the path traversal allow attacker to navigate to other folder/directory in the server and grab the file.
By default, if you are deploy your application in Windows platform, many of you might just move the web project into C:\inetpub\wwwroot. If you have a path traversal vulnerability, you eventually grab any files in C: including Password file in Windows, Web.config and others.
If you are coming to my session on TechEd SEA this year. I will demonstrate an "eye-opening" demo on what Path traversal can do.
To learn more about Path traversal attack – please go to here