Vulners
Lucene search
STG Security Advisory 2004-11-22.10
`-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
STG Security Advisory: [SSA-20041122-10] KorWeblog directory traversal
vulnerability
Revision 1.3
Date Published: 2004-11-22 (KST)
Last Update: 2004-11-22
Disclosed by SSR Team ([email protected])
Summary
========
KorWeblog is a weblog application used by many Korean Linux users.
It has a directory traversal vulnerability that malicious attackers can get
file lists of arbitrary directories.
Vendor URL
==========
http://weblog.kldp.org
Vulnerability Class
===================
Implementation Error: Input validation flaw
Details
=======
KorWeblog has a function to insert image icons when users post replies. This
function is implemented in viewimg.php.
It doesn't check user input correctly, so malicious attackers can modify
$path variable and can get file lists of a target directory.
http://[victim]/viewimg.php?path=images.d/face/../../../../../../../&form=Co
m&var=faceicon
Impact
======
Medium: Information disclosure
Workaround
==========
please download and apply viewimg.diff from
http://kldp.net/tracker/index.php?func=detail&aid=300515&group_id=13&atid=30
0013
- --- viewimg-org.php 2004-09-21 13:08:15.000000000 +0900
+++ viewimg.php 2004-09-21 13:08:44.000000000 +0900
@@ -63,13 +63,13 @@
<TABLE BORDER="0" CELLSPACING="3" CELLPADDING="5" ALIGN="CENTER">
<TR>
<?
- -$img_file = KWL_GetFileName("$CONF[G_PATH]/$path");
+$img_file = KWL_GetFileName("$CONF[G_PATH]/images.d/face");
$x = 0;
if (is_array($img_file)) {
foreach($img_file as $img) {
if (isset($fix)) $tmp = "$path/$img";
else $tmp = $img;
- - echo "<TD ALIGN=CENTER><A HREF=\"javascript:pick('$tmp')\"><IMG
SRC=\"$CONF[G_URL]/$path/$img\" BORDER=\"0\" VSPACE=\"5\" HSPACE=\"5\"
ALT=\"$img\"></A>\n";
+ echo "<TD ALIGN=CENTER><A HREF=\"javascript:pick('$tmp')\"><IMG
SRC=\"$CONF[G_URL]/images.d/face/$img\" BORDER=\"0\" VSPACE=\"5\"
HSPACE=\"5\" ALT=\"$img\"></A>\n";
$x++;
if ($x==7 || isset($br)) { echo "</TR><TR>\n"; $x=0; }
}
Affected Products
================
KorWeblog 1.6.2-cvs and prior
Vendor Status: NOT FIXED
=======================
2004-09-20 Vulnerability found.
2004-09-21 KorWeblog developer notified but didn't reply.
2004-09-21 Jeremy Bae made and submitted a patch.
2004-11-22 Official release.
Credits
======
Jeremy Bae at STG Security
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBQaP3/j9dVHd/hpsuEQLdiQCghTLqIwBh6ckXCaey1HhN+E+U3BsAnjXk
Vo/EGxQDaN//HosfSJm640zX
=sTJy
-----END PGP SIGNATURE-----
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Dec 2004 00:00Current
0.4Low risk
Vulners AI Score0.4