-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Web Server 4D/eCommerce 3.5.3 Directory Traversal Vulnerability
Type: Directory Traversal
Release Date: December 15, 2002
Product / Vendor: Web Server 4D/eCommerce is a single application that includes a shopping cart, credit card authorization, and order tracking.
Summary: A vulnerability exists in WS4D/eCommerce which could allow an unauthorized user to gain access to a known file residing on the target host.
This is achievable if a specially crafted URL composed of double dot "../" directory traversal sequences, with Unicode character representations substituted for "/" and "\" , is submitted to a host.
And view webserver log file.
Tested: Windows 2000 / Web Server 4D/eCommerce 3.5.3
Vulnerable: Web Server 4D/eCommerce 3.5.3 (And may be other)
Disclaimer: http://www.securityoffice.net is not responsible for the misuse or illegal use of any of the information and/or the software listed on this security advisory.
Authors: Tamer Sahin firstname.lastname@example.org http://www.securityoffice.net
Tamer Sahin http://www.securityoffice.net PGP Key ID: 0x2B5EDCB0 Fingerprint: B96A 5DFC E0D9 D615 8D28 7A1B BB8B A453 2B5E DCB0
-----BEGIN PGP SIGNATURE----- Version: PGP 7.1
iQA/AwUBPENen7uLpFMrXtywEQLnVQCdGhlNqNuWlluKNn+D7SXO2LyW9c8AoMNE XKb9PeN8Ro9jxsTVgHpLs7JC =bi0h -----END PGP SIGNATURE-----
============================================================================ Delivery co-sponsored by VeriSign - The Internet Trust Company ============================================================================ FREE E-COMMERCE SECURITY INFRASTRUCTURE GUIDE When building an e-commerce site, you want to start with a strong, secure foundation. Learn how with VeriSign's FREE White Paper, "Building an E-Commerce Trust Infrastructure." See how you can authenticate your site to customers, use 128-Bit SSL encryption to secure your web servers, and accept secure payments online. Click here: http://www.verisign.com/cgi-bin/go.cgi?a=n116965650045000 ============================================================================