lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 22 Aug 2004 17:56:32 -0000
From: Joxean Koret <joxeankoret@...oo.es>
To: bugtraq@...urityfocus.com
Subject: Bugs fixed in Version 1.4.3


In-Reply-To: <20040820225036.17877.qmail@....securityfocus.com>

 
>B. Unspecified File Download Vulnerability  
>  
>B1. An error in the MyDMS software allows to a  
>registered users (and only to  
>registered users) to download any file, such  
>as /etc/passwd, by inserting in a   
>parameter a text such as ../../../../../etc/passwd.  
>Contact:  
 
The author has released a new version (1.4.3) 
that solves the problem avoid arbitrary file 
download. 
 
Problem Description : 
~~~~~~~~~~~~~~~~~ 
 
When do you want to download any file stored in 
MyDMS internally calls to a PHP script (called 
op.ViewOnline.php). 
 
The Parameter 'request' of this script is a field 
with 3 parts, separated by the ':' char. 
 
The first part is the DocumentID (DocumentID in 
database). The second part is the Document 
Version. The thirst part is the document name. 
 
I don't know why the author uses the thirst part 
(the document name), because he has the 
DocumentID to retrieve it (or it's name) from the 
MySQL Database server. 
 
The problem is the following : If you change the 
document name with, in 
example, ../../../../../etc/passwd, you will download 
the file /etc/passwd from the Web Server. 
 
To try the vulnerability follow these steps :  
 
1.- Login in to MyDMS 
2.- Enter the following URL in your browser :  
 
http://<site-with-mydms>/mydms/op/op.ViewOnline.php?request=4:6:/../../../../../../../../../../../../etc/passwd 
 
Where '4' is the document id and '6' is the 
document version. 
 
You need to known a valid document id and a 
valid document version as well as you need an 
account in the MyDMS system, but an user with 
this data may download any file that he/she 
wants. 
 
Bye

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ