KorWeblog index.php lng Variable Arbitrary File Access

2004-12-30T06:09:59
ID OSVDB:12679
Type osvdb
Reporter Min-sung Choi(mins@fsu.or.kr)
Modified 2004-12-30T06:09:59

Description

Vulnerability Description

KorWeblog contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to index.php not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the lng variable(s).

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

KorWeblog contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to index.php not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the lng variable(s).

Manual Testing Notes

http://[victim]/weblog/install/index.php?lng=../../../../../../etc/passwd%00

http://[victim]/weblog/install/index.php?lng=../../phpinfo

References:

Vendor URL: http://weblog.kldp.org Security Tracker: 1012745 Secunia Advisory ID:13700 Related OSVDB ID: 12680 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-12/0451.html CVE-2004-1426