[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200506261856.j5QIu73a015365@linus.mitre.org>
Date: Sun, 26 Jun 2005 14:56:07 -0400 (EDT)
From: "Steven M. Christey" <coley@...re.org>
To: the_day@...o.or.id
Cc: bugtraq@...urityfocus.com
Subject: Re: [ECHO_ADV_20$2005] Full path disclosure JAF CMS
Two of these "full path disclosure" error messages suggest a much more
serious problem:
http://localhost/jaf-cms/index.php?page=forum&category=general&id=3/*
Warning: fopen(module/files/3/*): failed to open stream: No such
file or directory in
/var/www/html/jaf-cms/module/forum/inc/csvfile.php on line 197
The attacker's input - the "id" parameter - is eventually being used
in an fopen call.
Is the input being filtered or cleansed anywhere? Is this really a
directory traversal problem? Can the attacker open arbitrary files?
I don't have the tool installed, so I can't verify, but here are some
clues from the source code.
In forum.php in 3.0 Final:
/* note: no previous mention of $id anywhere until the next line */
if(isset($id))
{ /* main data base access */
$base_comment_file = new csvfile;
$base_comment_file->name="module/files/".$id;
In csvfile.php, the cvsfile class is defined with the following
method:
function open( $mode )
// opens the data source
{
if ( ! $this->handle = fopen( $this->name, $mode ) )
{
return false;
}
So maybe at least CSV formatted files can be read; maybe arbitrary
files can be modified if any are opened in write mode?
Again, I don't have the tool involved, so I can't prove it for sure.
- Steve
Powered by blists - more mailing lists