Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

[SA21648] Fotopholder "path" Cross-Site Scripting Vulnerability

[Full-disclosure] [vuln.sg] Cybozu Garoon 2 SQL Injection Vulnerabilities

[Full-disclosure] [vuln.sg] Cybozu Products Arbitrary File Retrieval Vulnerability

eFiction < 2.0.7 Remote Admin Authentication Bypass Vulnerability

From:	matrix_killer ma3x <matrix_k_(at)_abv.bg>
Date:	28.08.2006
Subject:	Assault Content Manager v.1.2 Directory Traverlal Vulnerability

Assault Content Manager v.1.2 Directory Traverlal Vulnerability

SEVERITY:
=========
Medium

SOFTWARE:
=========
Assault Content Manager v1.2

http://www.assaultcms.com/

INFO:
=====
Assault Content Manager v1.2 is a simple CMS that uses files to store information

DESCRIPTION:
============
Assault Content Manager v1.2 is vulnerable to a directory traversal attack

Examples:

Create an account and login.From then do this request:

http://127.0.0.1/acm/index.php?downloads&dir=../

The vulnerable code is:

$link="?downloads&dir={$value}

Where $value has no protection

*The bug isn't аffected by magic_quotes_gpc or register_globals

VENDOR STATUS
=============
Vendor was contacted but no response received till date.

MY FIX:
=======
Open downloads.php(it's located in the includes folder) and after $direct=$_SERVER['QUERY_STRING']; put:

if(preg_match("/\.\./i", $dir)){echo "HACKING attempt !";exit(0);} //keep it simple and effective !


This vulnerability was discovered by matrix_killer

mail : matrix_k at abv.bg

Greets: EcLiPsE, Blood3R and Acid_BDS


-----------------------------------------------------------------
http://ide.li/ - портал за българите по света. Статии, новини, форуми, снимки, информация.