########################## WwW.BugReport.ir
###########################################

AmnPardaz Security Research Team

Title: Web Wiz Forums(TM)

Vendor: http://www.webwizguide.com/

Bug: Directory traversal

Vulnerable Version: 9.07

Exploit: Available

Fix Available: No! Fast Solution is available.

###################################################################################

####################

• Description:
  ####################
  Web Wiz Forums bulletin board system is the ideal forum package for
  your website's community.

####################

• Vulnerability:
  ####################
  Input passed to the FolderName parameter in "RTE_file_browser.asp" and
  "file_browser.asp" are not properly sanitised before being used. This
  can be exploited to list directories, list txt and list zip files
  through directory traversal attacks.
  Also, "RTE_file_browser.asp" does not check user's session and an
  unauthenticated attacker can perform this attack.

-POC:
http://[WebWiz Forum]/RTE_file_browser.asp?look=&sub=\…\\\…\\\…\\\

####################

• Fast Solution :
  ####################
  You can see below lines in "RTE_file_browser.asp" and "file_browser.asp"

    'Stip path tampering for security reasons
    strSubFolderName = Replace(strSubFolderName, "../", "", 1, -1, 1)
    strSubFolderName = Replace(strSubFolderName, "..\", "", 1, -1, 1)
    strSubFolderName = Replace(strSubFolderName, "./", "", 1, -1, 1)
    strSubFolderName = Replace(strSubFolderName, ".\", "", 1, -1, 1)
  

Only add this to them:
strSubFolderName = Replace(strSubFolderName, "/", "\", 1, -1, 1)
strSubFolderName = Replace(strSubFolderName, "\\", "\", 1, -1, 1)
strSubFolderName = Replace(strSubFolderName, "…", "", 1, -1, 1)

####################

• Credit :
  ####################
  Original Advisory: http://www.bugreport.ir/?/29
  AmnPardaz Security Research & Penetration Testing Group
  Contact: admin[4t}bugreport{d0t]ir
  WwW.BugReport.ir
  WwW.AmnPardaz.com