Vulnerability CVE-2010-2850
Published: 2010-07-24   Modified: 2012-02-13

Description:
Directory traversal vulnerability in productionnu2/fileuploader.php in nuBuilder 10.04.20, and possibly other versions before 10.07.12, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the dir parameter.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
nuBuilder 10.04.20 local file inclusion
John Leitch
07.07.2010
Med.
nuBuilder 10.04.20 Local File Inclusion
John Leitch
27.07.2010
Med.
nuBuilder 10.04.20 Local File Inclusion Vulnerability
John Leitch
04.08.2010

Type:

CWE-22

 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Nusoftware -> Nubuilder 

 References:
http://www.nubuilder.com/nubuilderwww/change.php?changelog_id=14c3d1ea2a9fab
http://xforce.iss.net/xforce/xfdb/60138
http://www.vupen.com/english/advisories/2010/1726
http://www.securityfocus.com/bid/41404
http://www.osvdb.org/66006
http://secunia.com/advisories/40483
http://packetstormsecurity.org/1007-exploits/nubuilder-lfi.txt
http://cross-site-scripting.blogspot.com/2010/07/nubuilder-100420-local-file-inclusion.html
Copyright 2024, cxsecurity.com

 

Back to Top