Easy File Sharing Web Server msg.ghp Multiple Variable Traversal Arbitrary File Access

2003-09-16T00:00:00
ID OSVDB:3355
Type osvdb
Reporter OSVDB
Modified 2003-09-16T00:00:00

Description

Vulnerability Description

Easy File Sharing Web Server contains a flaw that allows a remote attacker to <ACTION> outside of the web path. The issue is due to the msg.ghp script not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'id' or 'forumid' variables.

Solution Description

Upgrade to version 1.21 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Easy File Sharing Web Server contains a flaw that allows a remote attacker to <ACTION> outside of the web path. The issue is due to the msg.ghp script not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'id' or 'forumid' variables.

Manual Testing Notes

http://[target]/msg.ghp?forumid=4&id=/../../../../../../../../windows/win.ini http://[target]/msg.ghp?forumid=/../../../../../../../../windows/win.ini

References:

Vendor URL: http://www.sharing-file.com/ Other Advisory URL: http://packetstormsecurity.nl/0309-exploits/easyfile.txt