Auction Weaver Form Field Arbitrary File/Directory Deletion

2000-10-16T00:00:00
ID OSVDB:1600
Type osvdb
Reporter Steven M. Christey(coley@mitre.org)
Modified 2000-10-16T00:00:00

Description

Vulnerability Description

Auction Weaver contains a flaw that allows a remote attacker to delete arbitrary files and directories. The issue is due to a lack of sanity checking on form field content. By using a directory traversal style attack (../../) an attacker can delete arbitrary directories and all files in them.

Solution Description

Upgrade to version 1.05 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Auction Weaver contains a flaw that allows a remote attacker to delete arbitrary files and directories. The issue is due to a lack of sanity checking on form field content. By using a directory traversal style attack (../../) an attacker can delete arbitrary directories and all files in them.

References:

Vendor URL: http://www.siteinteractive.com/awl/ Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-10/0251.html Keyword: Directory Traversal ISS X-Force ID: 5371 CVE-2000-0810 Bugtraq ID: 1782