SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Forum/Board/Portal)  >   Web Wiz Forums Vendors:   Web Wiz Guide
Web Wiz Forums Input Validation Flaw in 'FolderName' Parameter Lets Remote Users Traverse the Directory
SecurityTracker Alert ID:  1019266
SecurityTracker URL:  http://securitytracker.com/id/1019266
CVE Reference:   CVE-2008-0480   (Links to External Site)
Updated:  Feb 1 2008
Original Entry Date:  Jan 25 2008
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 9.07
Description:   AmnPardaz Security Research Team reported a vulnerability in Web Wiz Forums. A remote user can view files on the target system.

The 'RTE_file_browser.asp' and 'file_browser.asp' scripts do not properly validate user-supplied input in the 'FolderName' parameter. A remote user can supply a specially crafted request to view files on target system that are located outside of the intended directory.

A demonstration exploit URL is provided:

http://[target]/RTE_file_browser.asp?look=&sub=\.....\\\.....\\\.....\\\

The original advisory is available at:

http://www.bugreport.ir/?/29

Impact:   A remote user can view files on the target system.
Solution:   The vendor has issued a fixed version (9.08).
Vendor URL:  www.webwizguide.com/webwizforums/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Wed, 23 Jan 2008 11:03:13 +0330
Subject:  Web Wiz Forums Directory traversal

########################## WwW.BugReport.ir  
###########################################
#
#      AmnPardaz Security Research Team
#
# Title: Web Wiz Forums(TM)
# Vendor: http://www.webwizguide.com/
# Bug: Directory traversal
# Vulnerable Version: 9.07
# Exploit: Available
# Fix Available: No! Fast Solution is available.
###################################################################################


####################
- Description:
####################
Web Wiz Forums bulletin board system is the ideal forum package for  
your website's community.

####################
- Vulnerability:
####################
Input passed to the FolderName parameter in "RTE_file_browser.asp" and  
"file_browser.asp" are not properly sanitised before being used. This  
can be exploited to list directories, list txt and list zip files  
through directory traversal attacks.
Also, "RTE_file_browser.asp" does not check user's session and an  
unauthenticated attacker can perform this attack.

-POC:
http://[WebWiz Forum]/RTE_file_browser.asp?look=&sub=\.....\\\.....\\\.....\\\


####################
- Fast Solution :
####################
You can see below lines in "RTE_file_browser.asp" and "file_browser.asp"

	'Stip path tampering for security reasons
	strSubFolderName = Replace(strSubFolderName, "../", "", 1, -1, 1)
	strSubFolderName = Replace(strSubFolderName, "..\", "", 1, -1, 1)
	strSubFolderName = Replace(strSubFolderName, "./", "", 1, -1, 1)
	strSubFolderName = Replace(strSubFolderName, ".\", "", 1, -1, 1)

Only add this to them:
	strSubFolderName = Replace(strSubFolderName, "/", "\", 1, -1, 1)
	strSubFolderName = Replace(strSubFolderName, "\\", "\", 1, -1, 1)
	strSubFolderName = Replace(strSubFolderName, "..", "", 1, -1, 1)

####################
- Credit :
####################
Original Advisory: http://www.bugreport.ir/?/29
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC