what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

STG Security Advisory 2004-11-22.10

STG Security Advisory 2004-11-22.10
Posted Dec 11, 2004
Authored by STG Security | Site stgsecurity.com

STG Security Advisory: KorWeblog suffers from a directory traversal vulnerability that malicious attackers can get file lists of arbitrary directories.

tags | exploit, arbitrary
SHA-256 | 71700686df5b1678bd4503f868982180d543ec54e0c9d59cc2e37c275e95716e

STG Security Advisory 2004-11-22.10

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

STG Security Advisory: [SSA-20041122-10] KorWeblog directory traversal
vulnerability

Revision 1.3
Date Published: 2004-11-22 (KST)
Last Update: 2004-11-22
Disclosed by SSR Team (advisory@stgsecurity.com)

Summary
========
KorWeblog is a weblog application used by many Korean Linux users.

It has a directory traversal vulnerability that malicious attackers can get
file lists of arbitrary directories.

Vendor URL
==========
http://weblog.kldp.org

Vulnerability Class
===================
Implementation Error: Input validation flaw

Details
=======
KorWeblog has a function to insert image icons when users post replies. This
function is implemented in viewimg.php.
It doesn't check user input correctly, so malicious attackers can modify
$path variable and can get file lists of a target directory.

http://[victim]/viewimg.php?path=images.d/face/../../../../../../../&form=Co
m&var=faceicon

Impact
======
Medium: Information disclosure

Workaround
==========
please download and apply viewimg.diff from
http://kldp.net/tracker/index.php?func=detail&aid=300515&group_id=13&atid=30
0013

- --- viewimg-org.php 2004-09-21 13:08:15.000000000 +0900
+++ viewimg.php 2004-09-21 13:08:44.000000000 +0900
@@ -63,13 +63,13 @@
<TABLE BORDER="0" CELLSPACING="3" CELLPADDING="5" ALIGN="CENTER">
<TR>
<?
- -$img_file = KWL_GetFileName("$CONF[G_PATH]/$path");
+$img_file = KWL_GetFileName("$CONF[G_PATH]/images.d/face");
$x = 0;
if (is_array($img_file)) {
foreach($img_file as $img) {
if (isset($fix)) $tmp = "$path/$img";
else $tmp = $img;
- - echo "<TD ALIGN=CENTER><A HREF=\"javascript:pick('$tmp')\"><IMG
SRC=\"$CONF[G_URL]/$path/$img\" BORDER=\"0\" VSPACE=\"5\" HSPACE=\"5\"
ALT=\"$img\"></A>\n";
+ echo "<TD ALIGN=CENTER><A HREF=\"javascript:pick('$tmp')\"><IMG
SRC=\"$CONF[G_URL]/images.d/face/$img\" BORDER=\"0\" VSPACE=\"5\"
HSPACE=\"5\" ALT=\"$img\"></A>\n";
$x++;
if ($x==7 || isset($br)) { echo "</TR><TR>\n"; $x=0; }
}


Affected Products
================
KorWeblog 1.6.2-cvs and prior

Vendor Status: NOT FIXED
=======================
2004-09-20 Vulnerability found.
2004-09-21 KorWeblog developer notified but didn't reply.
2004-09-21 Jeremy Bae made and submitted a patch.
2004-11-22 Official release.

Credits
======
Jeremy Bae at STG Security

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBQaP3/j9dVHd/hpsuEQLdiQCghTLqIwBh6ckXCaey1HhN+E+U3BsAnjXk
Vo/EGxQDaN//HosfSJm640zX
=sTJy
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    9 Files
  • 7
    Feb 7th
    33 Files
  • 8
    Feb 8th
    34 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close