RCBlog index.php post Variable Traversal Arbitrary File Access

2006-01-19T08:02:34
ID OSVDB:22680
Type osvdb
Reporter Aliaksandr Hartsuyeu(alex@evuln.com)
Modified 2006-01-19T08:02:34

Description

Vulnerability Description

RCBlog contains a flaw that allows a remote attacker to view arbitrary files outside of the web path. The issue is due to the index.php script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the "post" variable.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

RCBlog contains a flaw that allows a remote attacker to view arbitrary files outside of the web path. The issue is due to the index.php script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the "post" variable.

References:

Vendor URL: http://www.fluffington.com/ Security Tracker: 1015523 Secunia Advisory ID:18547 Related OSVDB ID: 22679 Related OSVDB ID: 22681 Other Advisory URL: http://evuln.com/vulns/42/summary.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-06/0167.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-01/0370.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-02/0313.html Keyword: EV0042 CVE-2006-0371