lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 9 Dec 2005 17:32:23 -0500 From: Shell <shell6@...il.com> To: bugtraq@...urityfocus.com Subject: Torrential 1.2 Directory Traversal I was poking around my own server because I had an installation of torrential and found this vuln. The problem lies in getdox.php. It works by taking an argument after a "/". This specifies a file. The DOX folder that it grabs the files from is located int /dox such that / is the directory that the main index is in. Now, you can give it the parameter of /(any file) and it will fetch that file. EXAMPLES: http://www.example.com/torrential/dox/getdox.php/../forums.php (goes to the forums page) http://www.example.com/torrential/dox/getdox.php/../../index.html (goes to http://www.example.com/index.html in this case) The vulnerability lies in the fact that getdox.php directly reads the file with fopen/fread.