byteHoard files.inc.php Arbitrary Directory Access

2003-10-29T08:50:00
ID OSVDB:2700
Type osvdb
Reporter OSVDB
Modified 2003-10-29T08:50:00

Description

Vulnerability Description

byteHoard contains a flaw that allows a remote attacker to browse arbitrary directories outside of the web path. The issue is due to the files.inc.php script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via an unknown variable.

Solution Description

Upgrade to version 0.8.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

byteHoard contains a flaw that allows a remote attacker to browse arbitrary directories outside of the web path. The issue is due to the files.inc.php script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via an unknown variable.

References:

Vendor URL: http://sourceforge.net/projects/bytehoard/ Vendor Specific Advisory URL Secunia Advisory ID:10082 Keyword: Directory Traversal