Unidomedia Chameleon LE/Pro Directory Traversal

2006.07.26
Risk: Low
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Date of Advisory: ----------------- July 20th 2006 Product: -------- Chameleon LE <= 1.203 Chameleon Pro is suspected to be vulnerable but since I am cheap and not about to pay $99 for the pro version to check if a bug exists I CAN NOT confirm that the Pro version is vulnerable but can assume since it shares most of the same code. Vendor: ------- Unidomedia Description: ------------ Chameleon is the answer to your online advertising needs! Chameleon can be used for general advertising too, if you wish. Configure it in minutes to accept all types of ads. If you want to be specific, Chameleon will have you up and running in minutes, with ad submission and search forms tailored just the way you like. Exploit or Vulnerability: ------------------------- There is a directory traversal vulnerabilities in index.php The vulnerability is at line 34: include "chd_ads/$_GET[rmid]"; The user can pass a directory traversal attack to index.php?rmid= and can load ANY file on the server that the attacker has read access to. This can lead to a user gaining information such as server usernames from the passwd file or reading other website files which could lead to vulnerable information being accessed. Proof of Concept (PoC): ----------------------- http://www.victim.com/index.php?rmid=[directory traversal] Vendor Status: -------------- Vendor has been notified but have yet to receive any notification or communication from vendor on this issue. Solution: --------- No known vendor solution at this time.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top