ID CVE-2006-4490 Type cve Reporter cve@mitre.org Modified 2017-07-20T01:33:00
Description
Multiple directory traversal vulnerabilities in Cybozu Office before 6.6 Build 1.3 and Share 360 before 2.5 Build 0.3 allow remote authenticated users to read arbitrary files via a .. (dot dot) sequence via the id parameter in (1) scripts/cbag/ag.exe or (2) scripts/s360v2/s360.exe.
{"exploitdb": [{"lastseen": "2016-01-31T15:53:10", "bulletinFamily": "exploit", "description": "Cybozu Products (id) Arbitrary File Retrieval Vulnerability. CVE-2006-4490. Webapps exploit for cgi platform", "modified": "2006-08-28T00:00:00", "published": "2006-08-28T00:00:00", "id": "EDB-ID:2266", "href": "https://www.exploit-db.com/exploits/2266/", "type": "exploitdb", "title": "Cybozu Products id Arbitrary File Retrieval Vulnerability", "sourceData": "Cybozu Products Arbitrary File Retrieval Vulnerability\n\nby Tan Chew Keong\nRelease Date: 2006-08-28\n\nSummary\n\nA vulnerability has been found in Cybozu Products. When exploited, the vulnerability allows \nan authenticated user to retrieve arbitrary files accessible to the web server process.\n\nTested Versions\n * Cybuzu Office Version 6.5 (Build 1.2 20050427121735) for Windows\n * Cybozu Share 360 Version 2.5 (Build 0.2 20050121115231) for Windows\n\n\nDetails\n\nThis advisory discloses a directory traversal vulnerability in Cybozu products.\n1) Cybozu Office File Cabinet File Download Directory Traversal\n\nCybuzu Office does not properly validate the \"id\" parameter in \"/scripts/cbag/ag.exe\" before \nusing it to retrieve files from the file cabinet for a logon user. This allows a malicious user \nto retrieve arbitrary files accessible to the web server process using directory traversal characters.\n\nExample (to retrieve the password hash of the admin page):\n\nhttp://192.168.1.64/scripts/cbag/ag.exe?page=FileDownload&id=../../../../../../../../../../../../../inetpub/scripts/cbag/cb5/data/admin¬imecard=1&type=text&subtype=html&ct=1\n \n\n2) Cybozu Share 360 File Cabinet and Message Attachment Download Directory Traversal\n\nCybuzu Share 360 does not properly validate the \"id\" parameter in \"/scripts/s360v2/s360.exe\" \nbefore using it to retrieve files from the file cabinet and to retrieve file attachments from a \nreceived message/memo. This allows a malicious user to retrieve arbitrary files accessible to the \nweb server process using directory traversal characters.\n\nExample (to retrieve the password hash of the admin page):\n\nhttp://192.168.1.64/scripts/s360v2/s360.exe?page=FileDownload&id=../../../../../../../../../../inetpub/scripts/s360v2/s360v2/data/admin&type=text&subtype=plain&ct=1&.txt\n\nhttp://192.168.1.64/scripts/s360v2/s360.exe?page=MessageDownload&mid=37&id=../../../../../../../../../../inetpub/scripts/s360v2/s360v2/data/admin&bc=1&type=text&subtype=plain&ct=1&.txt\n \n\nPatch / Workaround\n\nCybuzu Office:\nUpdate to Version 6.6 (Build 1.3).\n\nCybozu Share 360:\nUpdate to Version 2.5 (Build 0.3).\n\nReferences\n\nhttp://cybozu.co.jp/products/dl/notice_060825/\n\nDisclosure Timeline\n\n2006-07-04 - Vulnerability Discovered.\n2006-07-13 - Initial Vendor Notification.\n2006-07-13 - Initial Vendor Reply.\n2006-07-14 - Received scheduled patch release date from vendor.\n2006-08-16 - Received notification that patch release will be delayed.\n2006-08-25 - Vendor released patch information on website.\n2006-08-28 - Public Disclosure.\n\nContact\nFor further enquries, comments, suggestions or bug reports, simply email them to \nTan Chew Keong (chewkeong[at]vuln[dot]sg)\n\n# milw0rm.com [2006-08-28]\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/2266/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "description": "## Vulnerability Description\nShare360 contains a flaw that allows a remote attacker to retrieve files from the file cabinet or retrieve attachments from a received message or memo. The issue is due to the s360.exe script not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'id' variable.\n## Technical Description\nSuccessful exploitation requires a valid user account.\n## Solution Description\nUpgrade to version 2.5 (Build 0.3) or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nShare360 contains a flaw that allows a remote attacker to retrieve files from the file cabinet or retrieve attachments from a received message or memo. The issue is due to the s360.exe script not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'id' variable.\n## Manual Testing Notes\nhttp://[target]/scripts/s360v2/s360.exe?page=FileDownload&\nid=../../../../../../../../../../inetpub/scripts/s360v2/s360v2/data/admin&type=text&subtype=plain&ct=1&.txt\n\nhttp://[target]/scripts/s360v2/s360.exe?page=MessageDownload&mid=37&\nid=../../../../../../../../../../inetpub/scripts/s360v2/s360v2/data/admin&bc=1&type=text&subtype=plain&ct=1&.txt\n## References:\nVendor URL: http://cybozu.co.jp/\n[Vendor Specific Advisory URL](http://cybozu.co.jp/products/dl/notice_060825/)\n[Secunia Advisory ID:21618](https://secuniaresearch.flexerasoftware.com/advisories/21618/)\nOther Advisory URL: http://vuln.sg/cybozu-en.html\n[CVE-2006-4490](https://vulners.com/cve/CVE-2006-4490)\n", "modified": "2006-08-28T06:19:00", "published": "2006-08-28T06:19:00", "href": "https://vulners.com/osvdb/OSVDB:28261", "id": "OSVDB:28261", "type": "osvdb", "title": "Cybozu Share360 s360.exe id Variable Traversal Arbitrary File Access", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "description": "## Vulnerability Description\nCybozu Office contains a flaw that allows a remote attacker to download arbitrary files via directory traversal attacks. The issue is due to the ag.exe not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'id' variable.\n## Solution Description\nUpgrade to Office version 6.6 (Build 1.3) or higher, AG version 1.2 (1.5) or higher, AG Pocket 5.2 (0.8) or higher, Garoon 1.5 (4.1) or higher, or Mailwise 3.0 (0.3) or higeher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nCybozu Office contains a flaw that allows a remote attacker to download arbitrary files via directory traversal attacks. The issue is due to the ag.exe not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'id' variable.\n## Manual Testing Notes\nhttp://[target]/scripts/cbag/ag.exe?page=FileDownload&\nid=../../../../../../../../../../../../../inetpub/scripts/cbag/cb5/data/admin¬imecard=1&type=text&subtype=html&ct=1\n## References:\nVendor URL: http://collaborex.cybozu.co.jp/\nVendor URL: http://cybozu.co.jp/\n[Vendor Specific Advisory URL](http://cybozu.co.jp/products/dl/notice_060825/)\n[Secunia Advisory ID:21623](https://secuniaresearch.flexerasoftware.com/advisories/21623/)\n[Secunia Advisory ID:21656](https://secuniaresearch.flexerasoftware.com/advisories/21656/)\n[Secunia Advisory ID:21638](https://secuniaresearch.flexerasoftware.com/advisories/21638/)\n[Related OSVDB ID: 28263](https://vulners.com/osvdb/OSVDB:28263)\nOther Advisory URL: http://vuln.sg/cybozu-en.html\n[CVE-2006-4490](https://vulners.com/cve/CVE-2006-4490)\n[CVE-2006-4491](https://vulners.com/cve/CVE-2006-4491)\n", "modified": "2006-08-28T06:33:59", "published": "2006-08-28T06:33:59", "href": "https://vulners.com/osvdb/OSVDB:28262", "id": "OSVDB:28262", "type": "osvdb", "title": "Cybozu Multiple Product ag.exe id Variable Traversal Arbitrary File Access", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}]}
