lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 24 Nov 2004 02:59:37 -0000
From: <advisory@...security.com>
To: bugtraq@...urityfocus.com
Subject: STG Security Advisory: [SSA-20041122-10] KorWeblog directory
    traversal vulnerability




STG Security Advisory: [SSA-20041122-10] KorWeblog directory traversal
vulnerability

Revision 1.3
Date Published: 2004-11-22 (KST)
Last Update: 2004-11-22
Disclosed by SSR Team (advisory@...security.com)

Summary
========
KorWeblog is a weblog application used by many Korean Linux users.

It has a directory traversal vulnerability that malicious attackers can get
file lists of arbitrary directories.

Vendor URL
==========
http://weblog.kldp.org

Vulnerability Class
===================
Implementation Error: Input validation flaw

Details
=======
KorWeblog has a function to insert image icons when users post replies. This
function is implemented in viewimg.php.
It doesn't check user input correctly, so malicious attackers can modify
$path variable and can get file lists of a target directory.

http://[victim]/viewimg.php?path=images.d/face/../../../../../../../&form=Co
m&var=faceicon

Impact
======
Medium: Information disclosure

Workaround
==========
please download and apply viewimg.diff from
http://kldp.net/tracker/index.php?func=detail&aid=300515&group_id=13&atid=30
0013

--- viewimg-org.php	2004-09-21 13:08:15.000000000 +0900
+++ viewimg.php	2004-09-21 13:08:44.000000000 +0900
@@ -63,13 +63,13 @@
 <TABLE BORDER="0" CELLSPACING="3" CELLPADDING="5" ALIGN="CENTER">
 <TR>
 <?
-$img_file = KWL_GetFileName("$CONF[G_PATH]/$path");
+$img_file = KWL_GetFileName("$CONF[G_PATH]/images.d/face");
 $x = 0;
 if (is_array($img_file)) {
 	foreach($img_file as $img) {
 		if (isset($fix)) $tmp = "$path/$img";
 		else $tmp = $img;
-		echo "<TD ALIGN=CENTER><A HREF=\"javascript:pick('$tmp')\"><IMG
SRC=\"$CONF[G_URL]/$path/$img\" BORDER=\"0\" VSPACE=\"5\" HSPACE=\"5\"
ALT=\"$img\"></A>\n";
+		echo "<TD ALIGN=CENTER><A HREF=\"javascript:pick('$tmp')\"><IMG
SRC=\"$CONF[G_URL]/images.d/face/$img\" BORDER=\"0\" VSPACE=\"5\"
HSPACE=\"5\" ALT=\"$img\"></A>\n";
 		$x++;
 		if ($x==7 || isset($br)) { echo "</TR><TR>\n"; $x=0; }
 	}


Affected Products
================
KorWeblog 1.6.2-cvs and prior

Vendor Status: NOT FIXED
=======================
2004-09-20 Vulnerability found.
2004-09-21 KorWeblog developer notified but didn't reply.
2004-09-21 Jeremy Bae made and submitted a patch.
2004-11-22 Official release.

Credits
======
Jeremy Bae at STG Security

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ