Online Universal Payment System index.php read Variable Traversal Arbitrary File Access

2006-05-08T12:02:34
ID OSVDB:25451
Type osvdb
Reporter Preddy(lil.turk@email.com)
Modified 2006-05-08T12:02:34

Description

Vulnerability Description

Online Universal Payment System contains a flaw that allows a remote attacker to disclose the content of arbitrary files outside of the web path. The issue is due to the index.php not properly sanitizing user, specifically directory traversal style attacks (../../) supplied via the 'read' variable.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Online Universal Payment System contains a flaw that allows a remote attacker to disclose the content of arbitrary files outside of the web path. The issue is due to the index.php not properly sanitizing user, specifically directory traversal style attacks (../../) supplied via the 'read' variable.

References:

Vendor URL: http://onlyscript.info/product_info.php?products_id=6 Secunia Advisory ID:20005 Related OSVDB ID: 25452 ISS X-Force ID: 26341 FrSIRT Advisory: ADV-2006-1704 CVE-2006-2326 Bugtraq ID: 17889