Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Web Wiz NewsPad Input Validation Flaw in 'FolderName' Parameter Lets Remote Users Traverse the Directory
|
|
SecurityTracker Alert ID: 1019268
|
|
SecurityTracker URL: http://securitytracker.com/id?1019268
|
|
CVE Reference: CVE-2008-0479
(Links to External Site)
|
Updated: Feb 1 2008
|
Original Entry Date: Jan 25 2008
|
Impact: Disclosure of system information, Disclosure of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 1.02
|
Description: AmnPardaz Security Research Team reported a vulnerability in Web Wiz NewsPad. A remote user can view files on the target system.
The 'RTE_file_browser.asp' script does not properly validate user-supplied input. A remote user can supply a specially crafted request
to view files on target system that are located outside of the intended directory.
A demonstration exploit URL is provided:
http://[target]/RTE_file_browser.asp?loo
k=&sub=\.....\\\.....\\\.....\\\
The original advisory is available at:
http://www.bugreport.ir/?/30
|
Impact: A remote user can view files on the target system.
|
Solution: The vendor has issued a fixed version (1.03).
|
Vendor URL: www.webwizguide.com/webwiznewspad/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Windows (Any)
|
Reported By: admin@bugreport.ir
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 23 Jan 2008 11:04:33 +0330
From: admin@bugreport.ir
Subject: Web Wiz NewsPad Directory traversal
|
########################## WwW.BugReport.ir
###########################################
# AmnPardaz Security Research Team
# Title: Web Wiz NewsPad(TM)
# Vendor: http://www.webwizguide.com/
# Bug: Directory traversal
# Vulnerable Version: 1.02
# Exploit: Available
# Fix Available: No! Fast Solution is available.
###################################################################################
####################
- Description:
####################
Web Wiz NewsPad is an advanced but easy to use Email Newsletter and
Website News Bulletin software.
####################
- Vulnerability:
####################
Input passed to the FolderName parameter in "RTE_file_browser.asp" is
not properly sanitised before being used. This can be exploited to
list directories, list txt and list zip files through directory
traversal attacks.
Also, "RTE_file_browser.asp" does not check user's session and an
unauthenticated attacker can perform this attack.
-POC:
http://[WebWiz
NewsPad]/RTE_file_browser.asp?look=&sub=\.....\\\.....\\\.....\\\
####################
- Fast Solution :
####################
You can see below lines in "RTE_file_browser.asp"
'Stip path tampering for security reasons
strSubFolderName = Replace(strSubFolderName, "../", "", 1, -1, 1)
strSubFolderName = Replace(strSubFolderName, "..\", "", 1, -1, 1)
strSubFolderName = Replace(strSubFolderName, "./", "", 1, -1, 1)
strSubFolderName = Replace(strSubFolderName, ".\", "", 1, -1, 1)
Only add this to them:
strSubFolderName = Replace(strSubFolderName, "/", "\", 1, -1, 1)
strSubFolderName = Replace(strSubFolderName, "\\", "\", 1, -1, 1)
strSubFolderName = Replace(strSubFolderName, "..", "", 1, -1, 1)
####################
- Credit :
####################
Original Advisory: http://www.bugreport.ir/?/30
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com
|
|
Go to the Top of This SecurityTracker Archive Page
|
