Next Page >>
path traversal
Summary
=======
The Management Center for Cisco Security Agents is affected by a
directory traversal vulnerability and a SQL injection vulnerability.
Successful exploitation of the directory traversal vulnerability may
allow an authenticated attacker to view and download arbitrary files
from the server hosting the Management Center. Successful
exploitation of the SQL injection vulnerability may allow an
authenticated attacker to execute SQL statements that can cause
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-018
Application: Apache Geronimo Application Server
Versions Affected: 2.1 - 2.1.3
Vendor URL: http://geronimo.apache.org/
Bug: Directory Traversal File Upload
Exploits: YES
Reported: 10.12.2008
Vendor response: 10.12.2008
Solution: YES
Date of Public Advisory: 16.04.2009
ESX 4.0 ESX ESX400-200909401-BG
ESX 3.5 ESX ESX350-200910401-SG
ESX 3.0.3 ESX ESX303-200910401-BG
ESX 2.5.5 ESX Upgrade Patch 15
b. Directory Traversal vulnerability
A directory traversal vulnerability allows for remote retrieval of
any file from the host system. In order to send a malicious request,
the attacker will need to have access to the network on which the
host resides.
Security Advisory
http://blog.hispasec.com/lab/
Name : 2K7SEPT6 X-Diesel Unreal Commander v0.92 (build 573)
multiple FTP-based vulnerabilities
Class : Remote directory traversal, Remote DoS
Threat level : HIGH
Discovered : 2007-09-06
Published : 2007-08-24
Credit : Gynvael Coldwind
Vulnerable : 0.92 (build 573), 0.92 (build 565), prior also may be affected
Team Vexillium
Security Advisory
http://vexillium.org/
Name : WinImage 8.10 Multiple Vulnerabilities
Class : Denial of Service and Directory Traversal
Threat level : LOW (DoS), MED (Dir. traversal vuln)
Discovered : 2007-08-31
Published : 2007-09-15
Credit : j00ru//vx
Vulnerable : WinImage 8.10,
service (IRC shutdown) via certain inputs.
CVE-2005-1238 05/02/2005 By design, the built-in FTP server for iSeries
AS/400 systems does not support a restricted document root, which allows
attackers to read or write arbitrary files, including sensitive QSYS
databases, via a full pathname in a GET or PUT request.
CVE-2005-1239 05/02/2005 Directory traversal vulnerability in the third
party tool from Raz-Lee, as used to secure the iSeries AS/400 FTP
server, allows remote attackers to access arbitrary files, including
those from qsys.lib, via ".." sequences in a GET request.
CVE-2005-1240 04/20/2005 Directory traversal vulnerability in the third
party tool from Castlehill, as used to secure the iSeries AS/400 FTP
[+] Application: phpCommunity 2
[+] Version: 2.1.8
[+] Website: http://sourceforge.net/projects/phpcommunity2/
[+] Bugs: [A] Multiple SQL Injection
[B] Directory Traversal
[C] Reflected XSS
[+] Exploitation: Remote
[+] Date: 07 Mar 2009
______________________________________________________________________
-------------------------- NSOADV-2011-003 ---------------------------
Majordomo2 'help' Command Directory Traversal (Patch Bypass)
______________________________________________________________________
______________________________________________________________________
111101111
11111 00110 00110001111
111111 01 01 1 11111011111111
DSECRG-11-003 (Internal DSECRG-00145) SAP Crystal Report Server 2008 - Directory Traversal
Directory traversal vulnerability discovered in the module PerformanceManagement application SAP Crystal Report Server 2008, which allows you to read any file on the OS.
Application: SAP Crystal Report Server 2008
Versions Affected: SAP Crystal Report Server 2008
Vendor URL: http://sap.com
Bugs: Directory Traversal File Read
Exploits: YES
Reported: 29.03.2010
Vendor response: 30.03.2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Directory Traversal is not only a web-server vulnerability, neza0x. Webapps can be vulnerable as
well. Or 3rd party [nginx|apache|etc] modules, for that matter.
On 11/03/2010 05:49 PM, neza0x@gmail.com wrote:
> Directory Traversal still alive? I mean, does your tool bypass Apache, IIS latest versions? Or it is applicable to IIS 4?
>
> It would be nice to have new techniques, improve multi-byte encoders and so on.
Software : Deepin TFTP Server Directory Traversal Vulnerability
Software Version : v1.25
Vendor: Deepin.org
Vulnerability Published : 2010-08-14
Vulnerability Update Time :
Status :
Impact : Medium
Bug Description :
Deepin TFTP Server does not properly sanitise filenames containing directory traversal sequences that are received from an FTP client.
Proof Of Concept :
the official announcement of these holes, I additionally informed them.
19.02.2010 - disclosed at my site.
-----------------------------
Details:
These are SQL Injection and Directory Traversal vulnerabilities.
SQL Injection:
http://site/files.php?refdll=-1+union+select+version()%23
_____________
Summary:
A) Multiple SQL Injection
B) Directory Traversal
C) Reflected XSS
A) Multiple SQL Injection
_________________________
I shall complete the information related to Bugtraq ID: 33359
Title: HTC / Windows Mobile OBEX FTP Service Directory Traversal
Author: Alberto Moreno Tablado
Vendor: HTC
Vulnerable Products:
- HTC devices running Windows Mobile 6
- HTC devices running Windows Mobile 6.1
Non vulnerable products:
- HTC devices running Windows Mobile 5.0
Hello Bugtraq!
I want to warn you about Cross-Site Scripting, Full path disclosure,
Information Leakage, Directory Traversal, Arbitrary File Deletion and Denial
of Service vulnerabilities in WordPress.
For all these attacks it's needed to have access to admin account, or to
have account with rights for working with plugins. Or to attack admin or
other user with required rights via XSS, to find out token which designed to
protect against CSRF attacks.
attack will work in WP-DB-Backup <= 2.0.
http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=.htaccess
If to place .htaccess in folder with backups, then it can be deleted. Even
with fixed Directory Traversal - in the folder with backups the files can be
deleted in any case. So it's needed to place .htaccess not in the folder
with backups, but in higher level folders, e.g. in folder wp-content.
Taking into account that WordPress Database Backup plugin creates empty
index.php in the folder with backups for protecting from leaking of
Title: YaTFTPSvr TFTP Server Directory Traversal Vulnerability
Software : YaTFTPSvr TFTP Server
Software Version : 1.0.1.200
Vendor: http://sites.google.com/site/zhaojieding2/
Vulnerability Published : 2011-07-11
Vulnerability Update Time :
Status :
Impact : Medium
Bug Description :
YaTFTPSvr TFTP Server does not properly sanitise filenames containing directory traversal sequences that are received from an TFTP client.
Advisory: nostromo nhttpd directory traversal leading to arbitrary
command execution
During a penetration test, RedTeam Pentesting discovered a directory
traversal vulnerability leading to arbitrary command execution in the
nostromo HTTP server.
Details
=======
1) Authentication bypass - CVE-2010-4279
2) OS Command Injection - CVE-2010-4278
3) SQL Injection - CVE-2010-4280
4) Blind SQL Injection - CVE-2010-4280
5) Path Traversal - CVE-2010-4281 - CVE-2010-4282 - CVE-2010-4283
[+] Introduction
Pandora FMS (for Pandora Flexible Monitoring System) is a software
for infrastructure support.
*Technical Description / Proof of Concept Code*
A path or directory traversal attack technique forces access to files,
directories, and commands that potentially reside outside the web
document root directory. An attacker may manipulate the http requests in
such a way that the web site will write, execute or reveal the contents
of arbitrary files outside the intended path of the web documents. Any
device that exposes an HTTP-based interface is potentially vulnerable to
Vendor: Cisco Systems
Product: CUCM Environment
Cisco Unified Communications Manager (CallManager)
Cisco IP Phone CP-7975G
Vulnerability: Directory Traversal
Reversible Obfuscation Algorithm
SCCP service security issues
CTFTP Information Leaks
Voice VLAN Separation Activated Late
Affected Releases: 7.0, 8.0(2)
http://site/wp-admin/page-new.php?popuptitle=%22%20style=%22xss:expression(alert(document.cookie))%22
Original article (in Russian): http://securityvulns.ru/Sdocument714.html
Additional details (in Ukrainian): http://websecurity.com.ua/1658/
2.3 Directory traversal, Arbitrary file deletion, Denial of Service
and Cross-Site Scripting via wp-db-backup.php
Directory Traversal (WordPress <= 2.0.3):
http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=../../.htaccess
http://site/wp-admin/edit.php?page=wp-db-backup.php&backup=\..\..\.htaccess
[MajorSecurity Advisory #56]moziloWiki - Directory Traversal, XSS and SessionFixation Issues
Details
=======
Product: moziloWiki
Security-Risk: High
Remote-Exploit: yes
Vendor-URL: http://www.mozilo.de/
Vendor-Status: informed
Advisory-Status: published
Summary
=======
Cisco Unified Contact Center Express (UCCX or Unified CCX) contains a denial of
service (DoS) vulnerability and a directory traversal vulnerability. These
vulnerabilities are independent of each other.
Exploitation of these vulnerabilities could result in a DoS condition or an
information disclosure.
HISPASEC
Security Advisory
http://blog.hispasec.com/lab/
Name : 2K7SEPT6 Total Commander 7.01 Remote FTP Client
Directory Traversal
Class : Remote Directory Traversal
Threat level : HIGH
Discovered : 2007-08-25
Published : 2007-09-06
Credit : Gynvael Coldwind
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Directory Traversal Vulnerability in Cisco
Network Admission Control Manager
Advisory ID: cisco-sa-20111005-nac
Revision 1.0
properly quote regular expressions, which allows remote authenticated
users to inject a PCRE e (aka PREG_REPLACE_EVAL) modifier, and
consequently execute arbitrary PHP code, by leveraging the ability
to modify the SESSION superglobal array (CVE-2011-2507).
Directory traversal vulnerability in libraries/display_tbl.lib.php
in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1, when
a certain MIME transformation feature is enabled, allows remote
authenticated users to include and execute arbitrary local files
via a .. (dot dot) in a GLOBALS[mime_map][->name][transformation]
parameter (CVE-2011-2508).
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Unified Communications Manager Directory Traversal Vulnerability
Advisory ID: cisco-sa-20111026-cucm
Revision 1.0
For Public Release 2011 October 26 16:00 UTC (GMT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Unified Contact Center Express Directory Traversal Vulnerability
Advisory ID: cisco-sa-20111026-uccx
Revision 1.0
For Public Release 2011 October 26 16:00 UTC (GMT)
1) Directory Path Traversal in Piwigo: CVE-2012-2208
1.1 Input passed via the "language" GET parameter to upgrade.php is vulnerable to directory path traversal. The directory path passed to the "language" parameter is later used in include() function to include the following files: common.lang.php, admin.lang.php, install.lang.php and upgrade.lang.php.
Under certain conditions this can be exploited to include malicious PHP file and execute arbitrary PHP code. To exploit this vulnerability the attacker should create a file with the name from the list above (for example admin.lang.php) in the file system (for example in /tmp/) and try to include it via directory traversal.
The following PoC (Proof of Concept) demonstrates the vulnerability:
http://[host]/upgrade.php?language=../../../../../tmp/
Next Page>>
|
