Xephyrus JST Arbitrary File Access

2004-08-15T02:44:23
ID OSVDB:8825
Type osvdb
Reporter OSVDB
Modified 2004-08-15T02:44:23

Description

Vulnerability Description

Xephyrus Java Simple Template ENgine contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the engine not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the file-tokens.

Solution Description

Upgrade to version 3.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Xephyrus Java Simple Template ENgine contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the engine not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the file-tokens.

References:

Vendor URL: http://www.xephyrus.com/jst/ Vendor Specific Advisory URL Secunia Advisory ID:12300 Keyword: Directory Traversal