NOCC footer.php nocc_theme Variable Traversal Arbitrary File Access

2006-02-23T10:32:35
ID OSVDB:23416
Type osvdb
Reporter retrogod(rgod@austici.org)
Modified 2006-02-23T10:32:35

Description

Vulnerability Description

NOCC contains a flaw that allows a remote attacker to retrieve arbitray files outside of the web path. The issue is due to the 'footer.php' script not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'nocc_theme' variable(s).

Technical Description

This vulnerability is only present when the magic_quotes_gpc PHP option is 'on' and the register_globals PHP option is 'off'.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

NOCC contains a flaw that allows a remote attacker to retrieve arbitray files outside of the web path. The issue is due to the 'footer.php' script not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'nocc_theme' variable(s).

Manual Testing Notes

http://[target]/[path]/html/footer.php?_SESSION[nocc_theme]=../../../../../../../etc/passwd%00

References:

Vendor URL: http://nocc.sourceforge.net/ Security Tracker: 1015671 Secunia Advisory ID:16921 Related OSVDB ID: 23423 Related OSVDB ID: 23424 Related OSVDB ID: 23417 Related OSVDB ID: 23418 Related OSVDB ID: 23420 Related OSVDB ID: 23422 Related OSVDB ID: 23425 Related OSVDB ID: 23427 Related OSVDB ID: 23421 Related OSVDB ID: 23426 Related OSVDB ID: 23419 Other Advisory URL: http://retrogod.altervista.org/noccw_10_incl_xpl.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-02/0418.html CVE-2006-0891 Bugtraq ID: 16793