Press CTRL-D to bookmark us
Welcome Guest Login / Register / Members
Search in  
Top Submit newsSubscribe
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
 

 Sponsored links

Want to become one of our authors and see your work published on ALLSeek.iNFO ?
 
 KorWeblog Input Validation Error in 'viewing.php' Lets Remote Users Obtain Directory Listings
Categorie: Vulnerability
Posted: 2004-11-29 by ReCall
Views: 435
Source: Click here
 		Current Rating: Not rated
Poor Best
 Details
Description: STG Security reported an input validation vulnerability in KorWeblog. A remote user can view directory listings.

It is reported that the 'viewing.php' script does not properly validate user-supplied input in the 'path' variable. A remote user can submit a specially crafted URL to view a list of files within an arbitrary directory.

A demonstration exploit URL is provided:

http://[target]/viewimg.php?path= images.d/face/../../../../../../../&form=Com&var=faceicon

Impact: A remote user can view arbitrary directory listings with the privileges of the target web service.

Solution: The vendor has issued a fix, available at:

http://kldp.net/tracker/index.php?func=detail&aid=300515&group_id=13&atid=300013
 
Syndication
Permalink Email this

The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=1134

User comments (post your comments here)

Only registerd members can post comments and articles
 
Previous articleBack to news listNext article
 


InterJOB.su
Bookmark us | Set As Homepage | Advertising | Contact Us | Recomend us | Link us | Links | Terms

SpyLOG Page Rank Checker
LAST QUERIES