Confixx Symlink Arbitrary Directory Information Disclosure

2004-06-25T00:00:00
ID OSVDB:8949
Type osvdb
Reporter Dirk Pirschel(dirk@pirschel.de)
Modified 2004-06-25T00:00:00

Description

Vulnerability Description

SWSoft Confixx contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a malicious user symlinks $HOME/files or $HOME/html to an arbitrary directory and issues a backup request. The backup request will backup the contents of the arbitrary directory and disclose all contents of that directory, resulting in a loss of confidentiality.

Solution Description

Upgrade to version 3.0.3 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: disable the backup script.

Short Description

SWSoft Confixx contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a malicious user symlinks $HOME/files or $HOME/html to an arbitrary directory and issues a backup request. The backup request will backup the contents of the arbitrary directory and disclose all contents of that directory, resulting in a loss of confidentiality.

References:

Secunia Advisory ID:11953 Related OSVDB ID: 7272 Related OSVDB ID: 8950 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-08/0568.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0832.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-07/1316.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-07/1062.html Bugtraq ID: 10607