Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: STG Security Advisory: [SSA-20041122-10] KorWeblog directory traversal vulnerability

STG Security Advisory: [SSA-20041122-10] KorWeblog directory traversal vulnerability

From: <advisory_at_stgsecurity.com>
Date: 24 Nov 2004 02:59:37 -0000
('binary' encoding is not supported, stored as-is) STG Security Advisory: [SSA-20041122-10] KorWeblog directory traversal
vulnerability

Revision 1.3
Date Published: 2004-11-22 (KST)
Last Update: 2004-11-22
Disclosed by SSR Team (advisory_at_stgsecurity.com)

Summary
========
KorWeblog is a weblog application used by many Korean Linux users.

It has a directory traversal vulnerability that malicious attackers can get
file lists of arbitrary directories.

Vendor URL
==========
http://weblog.kldp.org

Vulnerability Class
===================
Implementation Error: Input validation flaw

Details
=======
KorWeblog has a function to insert image icons when users post replies. This
function is implemented in viewimg.php.
It doesn't check user input correctly, so malicious attackers can modify
$path variable and can get file lists of a target directory.

http://[victim]/viewimg.php?path=images.d/face/../../../../../../../&form=Co
m&var=faceicon

Impact
======
Medium: Information disclosure

Workaround
==========
please download and apply viewimg.diff from
http://kldp.net/tracker/index.php?func=detail&aid=300515&group_id=13&atid=30
0013

--- viewimg-org.php 2004-09-21 13:08:15.000000000 +0900
+++ viewimg.php 2004-09-21 13:08:44.000000000 +0900
@@ -63,13 +63,13 @@
 <TABLE BORDER="0" CELLSPACING="3" CELLPADDING="5" ALIGN="CENTER">
 <TR>
 <?
-$img_file = KWL_GetFileName("$CONF[G_PATH]/$path");
+$img_file = KWL_GetFileName("$CONF[G_PATH]/images.d/face");
 $x = 0;
 if (is_array($img_file)) {
         foreach($img_file as $img) {
                 if (isset($fix)) $tmp = "$path/$img";
                 else $tmp = $img;
- echo "<TD ALIGN=CENTER><A HREF=\"javascript:pick('$tmp')\"><IMG
SRC=\"$CONF[G_URL]/$path/$img\" BORDER=\"0\" VSPACE=\"5\" HSPACE=\"5\"
ALT=\"$img\"></A>\n";
+ echo "<TD ALIGN=CENTER><A HREF=\"javascript:pick('$tmp')\"><IMG
SRC=\"$CONF[G_URL]/images.d/face/$img\" BORDER=\"0\" VSPACE=\"5\"
HSPACE=\"5\" ALT=\"$img\"></A>\n";
                 $x++;
                 if ($x==7 || isset($br)) { echo "</TR><TR>\n"; $x=0; }
         }


Affected Products
================
KorWeblog 1.6.2-cvs and prior

Vendor Status: NOT FIXED
=======================
2004-09-20 Vulnerability found.
2004-09-21 KorWeblog developer notified but didn't reply.
2004-09-21 Jeremy Bae made and submitted a patch.
2004-11-22 Official release.

Credits
======
Jeremy Bae at STG Security
Received on Nov 24 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]