Web Wiz Forums Directory traversal

2008.01.29
Credit: AmnPardaz
Risk: Low
Local: No
Remote: Yes
CWE: CWE-22


Ogólna skala CVSS: 5/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Brak
Wpływ na dostępność: Brak

########################## WwW.BugReport.ir ########################################### # # AmnPardaz Security Research Team # # Title: Web Wiz Forums(TM) # Vendor: http://www.webwizguide.com/ # Bug: Directory traversal # Vulnerable Version: 9.07 # Exploit: Available # Fix Available: No! Fast Solution is available. ######################################################################## ########### #################### - Description: #################### Web Wiz Forums bulletin board system is the ideal forum package for your website's community. #################### - Vulnerability: #################### Input passed to the FolderName parameter in "RTE_file_browser.asp" and "file_browser.asp" are not properly sanitised before being used. This can be exploited to list directories, list txt and list zip files through directory traversal attacks. Also, "RTE_file_browser.asp" does not check user's session and an unauthenticated attacker can perform this attack. -POC: http://[WebWiz Forum]/RTE_file_browser.asp?look=&sub=\.....\\\.....\\\.....\\ #################### - Fast Solution : #################### You can see below lines in "RTE_file_browser.asp" and "file_browser.asp" 'Stip path tampering for security reasons strSubFolderName = Replace(strSubFolderName, "../", "", 1, -1, 1) strSubFolderName = Replace(strSubFolderName, "..\", "", 1, -1, 1) strSubFolderName = Replace(strSubFolderName, "./", "", 1, -1, 1) strSubFolderName = Replace(strSubFolderName, ".\", "", 1, -1, 1) Only add this to them: strSubFolderName = Replace(strSubFolderName, "/", "\", 1, -1, 1) strSubFolderName = Replace(strSubFolderName, "\\", "\", 1, -1, 1) strSubFolderName = Replace(strSubFolderName, "..", "", 1, -1, 1) #################### - Credit : #################### Original Advisory: http://www.bugreport.ir/?/29 AmnPardaz Security Research & Penetration Testing Group Contact: admin[4t}bugreport{d0t]ir WwW.BugReport.ir WwW.AmnPardaz.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top