Exploit Web Wiz Forums 9.07 - 'sub' Directory Traversal

Exploiter

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
4970
Проверка EDB
  1. Пройдено
Автор
BUGREPORT.IR
Тип уязвимости
WEBAPPS
Платформа
ASP
CVE
cve-2008-0480 cve-2008-0466
Дата публикации
2008-01-23
Код: 
########################## WwW.BugReport.ir ###########################################
#
#      AmnPardaz Security Research Team
#
# Title: Web Wiz Forums(TM)
# Vendor: http://www.webwizguide.com/
# Bug: Directory traversal
# Vulnerable Version: 9.07
# Exploit: Available
# Fix Available: No! Fast Solution is available.
###################################################################################


####################
- Description:
####################
Web Wiz Forums bulletin board system is the ideal forum package for your website's community. 

####################
- Vulnerability:
####################
Input passed to the FolderName parameter in "RTE_file_browser.asp" and "file_browser.asp" are not properly sanitised before being used. This can be exploited to list directories, list txt and list zip files through directory traversal attacks.
Also, "RTE_file_browser.asp" does not check user's session and an unauthenticated attacker can perform this attack.

-POC:
http://[WebWiz Forum]/RTE_file_browser.asp?look=&sub=\.....\\\.....\\\.....\\\


####################
- Fast Solution :
####################
You can see below lines in "RTE_file_browser.asp" and "file_browser.asp"

	'Stip path tampering for security reasons
	strSubFolderName = Replace(strSubFolderName, "../", "", 1, -1, 1)
	strSubFolderName = Replace(strSubFolderName, "..\", "", 1, -1, 1)
	strSubFolderName = Replace(strSubFolderName, "./", "", 1, -1, 1)
	strSubFolderName = Replace(strSubFolderName, ".\", "", 1, -1, 1)

Only add this to them:
	strSubFolderName = Replace(strSubFolderName, "/", "\", 1, -1, 1)
	strSubFolderName = Replace(strSubFolderName, "\\", "\", 1, -1, 1)
	strSubFolderName = Replace(strSubFolderName, "..", "", 1, -1, 1)	

####################
- Credit :
####################
Original Advisory: http://www.bugreport.ir/?/29
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com

# milw0rm.com [2008-01-23]
 
Источник
www.exploit-db.com
Войдите или зарегистрируйтесь для ответа.

Похожие темы

Exploiter
Exploit Jive Forums 5.5.25 - Directory Traversal
Ответы
0
Просмотры
485
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit MiniHTTPServer Web Forums Server 1.x/2.0 - Directory Traversal
Ответы
0
Просмотры
321
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit WordPress Plugin Zingiri Forums - 'language' Local File Inclusion
Ответы
0
Просмотры
491
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Web Wiz Forums - Multiple Cross-Site Scripting Vulnerabilities
Ответы
0
Просмотры
458
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Web Wiz Forums 8.05 - String Filtering SQL Injection
Ответы
0
Просмотры
420
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Snitz Forums 2000 - 'down.asp' HTTP Response Splitting
Ответы
0
Просмотры
461
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Snitz Forums 2000 - 'TOPIC_ID' SQL Injection
Ответы
0
Просмотры
466
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Vanilla Forums 2.0 < 2.0.18.5 - 'class.utilitycontroller.php' PHP Object Injection
Ответы
0
Просмотры
453
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit FuseTalk Forums 3.2 - 'windowed' Cross-Site Scripting
Ответы
0
Просмотры
429
Эксплойты & Уязвимости
Exploiter
Exploiter
Exploiter
Exploit Allaire Forums 2.0.4 - Getfile
Ответы
0
Просмотры
399
Эксплойты & Уязвимости
Exploiter
Exploiter
Сверху Снизу