Cosmoshop edit_mailtexte.cgi file Variable Traversal Arbitrary File Access

2006-05-18T09:17:37
ID OSVDB:25647
Type osvdb
Reporter l0om(l0om@excluded.org)
Modified 2006-05-18T09:17:37

Description

Vulnerability Description

Cosmoshop contains a flaw that allows a remote attacker to disclose the content of arbitrary files outside of the web path. The issue is due to the edit_mailtexte.cgi script not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'file' variable.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Cosmoshop contains a flaw that allows a remote attacker to disclose the content of arbitrary files outside of the web path. The issue is due to the edit_mailtexte.cgi script not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'file' variable.

Manual Testing Notes

/cgi-bin/admin/bestellvorgang/edit_mailtexte.cgi?file=../../../../../../../../../etc/passwd%00

References:

Vendor URL: http://www.cosmoshop.de/ Secunia Advisory ID:20177 Related OSVDB ID: 25648 Related OSVDB ID: 25649 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-05/0348.html ISS X-Force ID: 26533 CVE-2006-2475