| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 21 Nov 2007 20:45:19 -0000 From: Joseph.giron13@...il.com To: bugtraq@...urityfocus.com Subject: GWextranet Multiple Vulnerabilites GWextranet Multiple Vulnerabilites Vendor: Messaging Architects http://www.gwtools.com/en/gwextranet/eval/ http://www.example/gwextranet/scp.dll/sendto?user=calendar+of+events&mid=474020FA.GWEMAIL_DEPOT.SDEPO.100.167656B.1.1B00.1&template=.././../../boot.ini%00 http://www.example.com/gwextranet/scp.dll/nbfile?user=calendar%20of%20events&format=&mid=46FA2724.GWEMAIL_DEPOT.SDEPO.100.167656B.1.198E.1&folder=Calendar&altcolor=cccccc&template=gwextra&caldays=1&startday=&file=../scp.dll Just about any action module that request a template or file you can include a file from elsewhere on the server. I was able to refer to the manual on GwExtranet to obtain all the files that utilize the file and template paramenters. They are List, Monthcal, Item, frmonth, week, frameset, fhead, frlist, getvcs, Xlist, nblist, nbitem, nbfile, directory, xlist, sendto, Xweek, Xmonth, And finally Xitem. The compose module allows you to add new events to a specific group, but allows for Script code to be injected inside. The result of say...a well placed body onload event effectively defaces the front page until the month is over. (when the event calendar rolls over to a new month). Vendor Notified (they refused to give me a direct line), no patch yet. Happy Hacking!
Powered by blists - more mailing lists