lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080401051627.4261.qmail@securityfocus.com>
Date: 1 Apr 2008 05:16:27 -0000
From: joseph.giron13@...il.com
To: bugtraq@...urityfocus.com
Subject: Terracotta Personal Edition Multiple vulnerabilities

Its been awhile since I've posted something, so lets get to the goods.

Terracotta is a an open source CMS from http://sourceforge.net/projects/terracotta/

First up, we have Full path disclosure vulnerabilities in the GET'd variable 'File'. Specify something other than whats in the list and we get full paths and other useful information. 

Next we have some nice LFI. 

To LFI this code, we try the following:

www.example.com/index.php?CurrentDirectory=FOLDER_420c142a1bebd1.90885049/../../../../../../../../../etc/&StartAt=12

The GET'd variable Current directory fails to check for other invalid input allowing us to specifiy folders outside the normal program's environment. though we can only specify folders, it will display them for us as if it were part of its normal viewing procedures. 

To add insult to injury, there is another parameter present for download processing that we can manipulate to specify which file we want. 
www.example.com/index.php?CurrentDirectory=FOLDER_420c142a1bebd1.90885049/../../whatever/&StartAt=12&File=whateverwewant.txt

This used in conjunction with our full path disclosures allow for some directory and file probing as well as a peek at server side code.

No patch yet. Happy hunting! 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ