Treetextbox editor times right directory vulnerability-vulnerability warning-the black bar safety net

2009-01-17T00:00:00
ID MYHACK58:62200921967
Type myhack58
Reporter 佚名
Modified 2009-01-17T00:00:00

Description

Today is the 2 0 0 8. 1 1. 2 4 Monday, I stayed the All right things on the Internet to find a website to do the following littlesecurity testing thus find the Treetextbox editing can be a convenient directory vulnerability First talk about my ideas

Editor specific code is:

<td bgcolor="#f6f6f6" class="b01" style="height: 25px"> <ftb:freetextbox id="TxtBody" runat="server" buttonpath="../images/ftb/office2003/" height="400px" imagegallerypath="Mail/UpLoad_EmailPic" width="800px" ToolbarLayout="Bold,Italic,Underline,SubScript,SuperScript,NumberedList,Indent, Outdent,Copy,Paste,Cut,Delete,Of Inserttable;JustifyCenter,JustifyLeft,JustifyRight,JustifyFull; FontFacesMenu;FontSizesMenu;FontForeColorsMenu"> </ftb:freetextbox> </td>

So how are constructed all over the right directory? We take a stand for the subset of columns in order to ensure that their website security I do not publish full. First, find the editor and click the image upload will appear when a pop so how do you know the code this I will not say but in order to call the respective webmasters all understand or say it better with a packet capture you can see the http://www.XXX.cn/Member/images/ftb/HelperScripts//ftb.imagegallery.aspx?frame=1

This is key to the ftb. imagegallery. aspx this file when open time will appear you see in the picture directory then How we construct the following look at my code structure http://www.XXX.cn/Member/images/ftb/HelperScripts//ftb.imagegallery.aspx?frame=1&rif=..&cif=\..

That's why you want to construct it because the ftb. imagegallery. aspx code only the filtered/but there is no filter\symbol so such a structure will be listed in the directory So why frame=1&rif=..&cif=\.. what does it mean actually I don't know Hey Hey FRAME I feel is a function of the value however&rif=.. this is the root of the mean. and this cif=\..? I think that's subdirectories

According to this words The this from the new combination can pass right directory.