https://www.exploit-db.com/exploits/21026
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200107-166

SambarServer5.0beta5之前版本的pagecountCGIscript存在目录遍历漏洞。远程攻击者可以借助page参数的..（点点）攻击覆盖任意文件。

source: http://www.securityfocus.com/bid/3091/info

Sambar Server is a multi-threaded HTTP server for Microsoft Windows and Unix systems.

Sambar WWW Server is bundled with a sample script('pagecount') which creates temporary files on the host. However, it is possible for a remote attacker to craft a web request which will cause pagecount to overwrite existing files. Files attacked in this manner will be corrupted.

Loss of critical data and a denial of services may occur if system files are overwritten.

http://sambarserver/session/pagecount?page=index will create a file in Sambar temp directory with name 'index'

http://sambarserver/session/pagecount?page=../../../../../../autoexec.bat then the script will rewrite the first symbols of c:autoexec.bat with it's number.

So we are able to add some text to any file on the disk.

来源:XF
名称:sambar-pagecount-overwrite-files(6916)
链接:http://xforce.iss.net/static/6916.php
来源:BID
名称:3092
链接:http://www.securityfocus.com/bid/3092
来源:www.sambar.com
链接:http://www.sambar.com/security.htm
来源:BUGTRAQ
名称:20010721SambarWebServerpagecountexploitcode
链接:http://archives.neohapsis.com/archives/bugtraq/2001-07/0565.html