jsupload.cgi.pl 0.6.4 Directory Traversal

2012-11-30T00:00:00
ID PACKETSTORM:118494
Type packetstorm
Reporter Sean de Regge
Modified 2012-11-30T00:00:00

Description

                                        
                                            `-------------------------------------------------------------------------------------------------------------  
Directory traversal vulnerabilities in jsupload.cgi.pl version 0.6.4 and  
before  
29 November 2012  
Sean de Regge (seanderegge gmail.com)  
-------------------------------------------------------------------------------------------------------------  
  
Details:  
----------  
Versions of the Perl script jsupload.cgi.pl prior to version number 0.6.4  
are vulnerable to directory traversal attacks.  
The script allows a remote user to upload a file to the "/tmp/uploader"  
directory. However, by adding the characters ../ when supplying a filename  
it is possible to break out of the directory and write to other  
directories on the system.  
  
A similar vulnerability exists in the code that allows a user to download  
files from the "/tmp/uploader" directory.  
  
A detailed writup of this vulnerability can be found at www.pwnani.com.  
  
Recommendation:  
-------------------------  
The latest version of the script includes a patch for these vulnerabilities  
and can be found at:  
  
http://code.google.com/p/gwtupload/source/browse/jsupload/src/main/java/jsupload/public/jsupload.cgi.pl  
`