QuickBlogger acc.php request Variable Traversal Arbitrary File Access

2006-04-12T20:58:31
ID OSVDB:24693
Type osvdb
Reporter OSVDB
Modified 2006-04-12T20:58:31

Description

Vulnerability Description

QuickBlogger contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the acc.php script not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'request' variable. Additionally, if arbitrary script is supplied to this variable, it may be returned to the user under some configurations allowing for cross-site scripting (XSS) attacks.

Solution Description

The vendor has discontinued this product and therefore has no patch or upgrade that mitigates this problem. It is recommended that an alternate software package be used in its place.

Short Description

QuickBlogger contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the acc.php script not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'request' variable. Additionally, if arbitrary script is supplied to this variable, it may be returned to the user under some configurations allowing for cross-site scripting (XSS) attacks.

Manual Testing Notes

http://[target]/acc.php?request=<script>alert(document.cookie)</script>

References:

Vendor URL: http://www.jlwebworks.net/ Secunia Advisory ID:15942 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-04/0257.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-04/0309.html CVE-2006-1791