Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Web Wiz Forums Input Validation Flaw in 'FolderName' Parameter Lets Remote Users Traverse the Directory
|
|
SecurityTracker Alert ID: 1019266
|
|
SecurityTracker URL: http://securitytracker.com/id?1019266
|
|
CVE Reference: CVE-2008-0480
(Links to External Site)
|
Updated: Feb 1 2008
|
Original Entry Date: Jan 25 2008
|
Impact: Disclosure of system information, Disclosure of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 9.07
|
Description: AmnPardaz Security Research Team reported a vulnerability in Web Wiz Forums. A remote user can view files on the target system.
The 'RTE_file_browser.asp' and 'file_browser.asp' scripts do not properly validate user-supplied input in the 'FolderName' parameter.
A remote user can supply a specially crafted request to view files on target system that are located outside of the intended directory.
A
demonstration exploit URL is provided:
http://[target]/RTE_file_browser.asp?look=&sub=\.....\\\.....\\\.....\\\
The original
advisory is available at:
http://www.bugreport.ir/?/29
|
Impact: A remote user can view files on the target system.
|
Solution: The vendor has issued a fixed version (9.08).
|
Vendor URL: www.webwizguide.com/webwizforums/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Windows (Any)
|
Reported By: admin@bugreport.ir
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 23 Jan 2008 11:03:13 +0330
From: admin@bugreport.ir
Subject: Web Wiz Forums Directory traversal
|
########################## WwW.BugReport.ir
###########################################
# AmnPardaz Security Research Team
# Title: Web Wiz Forums(TM)
# Vendor: http://www.webwizguide.com/
# Bug: Directory traversal
# Vulnerable Version: 9.07
# Exploit: Available
# Fix Available: No! Fast Solution is available.
###################################################################################
####################
- Description:
####################
Web Wiz Forums bulletin board system is the ideal forum package for
your website's community.
####################
- Vulnerability:
####################
Input passed to the FolderName parameter in "RTE_file_browser.asp" and
"file_browser.asp" are not properly sanitised before being used. This
can be exploited to list directories, list txt and list zip files
through directory traversal attacks.
Also, "RTE_file_browser.asp" does not check user's session and an
unauthenticated attacker can perform this attack.
-POC:
http://[WebWiz Forum]/RTE_file_browser.asp?look=&sub=\.....\\\.....\\\.....\\\
####################
- Fast Solution :
####################
You can see below lines in "RTE_file_browser.asp" and "file_browser.asp"
'Stip path tampering for security reasons
strSubFolderName = Replace(strSubFolderName, "../", "", 1, -1, 1)
strSubFolderName = Replace(strSubFolderName, "..\", "", 1, -1, 1)
strSubFolderName = Replace(strSubFolderName, "./", "", 1, -1, 1)
strSubFolderName = Replace(strSubFolderName, ".\", "", 1, -1, 1)
Only add this to them:
strSubFolderName = Replace(strSubFolderName, "/", "\", 1, -1, 1)
strSubFolderName = Replace(strSubFolderName, "\\", "\", 1, -1, 1)
strSubFolderName = Replace(strSubFolderName, "..", "", 1, -1, 1)
####################
- Credit :
####################
Original Advisory: http://www.bugreport.ir/?/29
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com
|
|
Go to the Top of This SecurityTracker Archive Page
|
