phpSysInfo index.php lng Variable Traversal File Existence Enumeration

2003-04-04T08:04:02
ID OSVDB:27015
Type osvdb
Reporter Micheal Turner(wh1t3h4t3yahoo.co.uk), Albert Puigsech Galicia(ripe@7a69ezine.org)
Modified 2003-04-04T08:04:02

Description

Vulnerability Description

phpSysInfo contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the index.php script not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'lng' variable and null terminated.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

phpSysInfo contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the index.php script not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'lng' variable and null terminated.

Manual Testing Notes

http://[target]/phpSysInfo/index.php?template=blue&lng=../../../../../../../../../../../var/log/httpd-error.log%00

References:

Vendor URL: http://phpsysinfo.sourceforge.net/ Security Tracker: 1016440 Secunia Advisory ID:20939 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0065.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0066.html ISS X-Force ID: 27527 FrSIRT Advisory: ADV-2006-2668 CVE-2006-3360 Bugtraq ID: 18868