Bugtraq mailing list archives
STG Security Advisory: [SSA-20041122-10] KorWeblog directory traversal vulnerability
From: <advisory () stgsecurity com>
Date: 24 Nov 2004 02:59:37 -0000
STG Security Advisory: [SSA-20041122-10] KorWeblog directory traversal vulnerability Revision 1.3 Date Published: 2004-11-22 (KST) Last Update: 2004-11-22 Disclosed by SSR Team (advisory () stgsecurity com) Summary ======== KorWeblog is a weblog application used by many Korean Linux users. It has a directory traversal vulnerability that malicious attackers can get file lists of arbitrary directories. Vendor URL ========== http://weblog.kldp.org Vulnerability Class =================== Implementation Error: Input validation flaw Details ======= KorWeblog has a function to insert image icons when users post replies. This function is implemented in viewimg.php. It doesn't check user input correctly, so malicious attackers can modify $path variable and can get file lists of a target directory. http://[victim]/viewimg.php?path=images.d/face/../../../../../../../&form=Co m&var=faceicon Impact ====== Medium: Information disclosure Workaround ========== please download and apply viewimg.diff from http://kldp.net/tracker/index.php?func=detail&aid=300515&group_id=13&atid=30 0013 --- viewimg-org.php 2004-09-21 13:08:15.000000000 +0900 +++ viewimg.php 2004-09-21 13:08:44.000000000 +0900 @@ -63,13 +63,13 @@ <TABLE BORDER="0" CELLSPACING="3" CELLPADDING="5" ALIGN="CENTER"> <TR> <? -$img_file = KWL_GetFileName("$CONF[G_PATH]/$path"); +$img_file = KWL_GetFileName("$CONF[G_PATH]/images.d/face"); $x = 0; if (is_array($img_file)) { foreach($img_file as $img) { if (isset($fix)) $tmp = "$path/$img"; else $tmp = $img; - echo "<TD ALIGN=CENTER><A HREF=\"javascript:pick('$tmp')\"><IMG SRC=\"$CONF[G_URL]/$path/$img\" BORDER=\"0\" VSPACE=\"5\" HSPACE=\"5\" ALT=\"$img\"></A>\n"; + echo "<TD ALIGN=CENTER><A HREF=\"javascript:pick('$tmp')\"><IMG SRC=\"$CONF[G_URL]/images.d/face/$img\" BORDER=\"0\" VSPACE=\"5\" HSPACE=\"5\" ALT=\"$img\"></A>\n"; $x++; if ($x==7 || isset($br)) { echo "</TR><TR>\n"; $x=0; } } Affected Products ================ KorWeblog 1.6.2-cvs and prior Vendor Status: NOT FIXED ======================= 2004-09-20 Vulnerability found. 2004-09-21 KorWeblog developer notified but didn't reply. 2004-09-21 Jeremy Bae made and submitted a patch. 2004-11-22 Official release. Credits ====== Jeremy Bae at STG Security
Current thread:
- STG Security Advisory: [SSA-20041122-10] KorWeblog directory traversal vulnerability advisory (Nov 24)