Simple PHP Blog Remote Directory Traversal Vulnerabilities
BID:12193
Info
Simple PHP Blog Remote Directory Traversal Vulnerabilities
| Bugtraq ID: | 12193 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 07 2005 12:00AM |
| Updated: | Jan 07 2005 12:00AM |
| Credit: | Madelman <[email protected]> is credited with the discovery of these vulnerabilities. |
| Vulnerable: |
Alexander Palmo Simple PHP Blog 0.3.7 c |
| Not Vulnerable: |
Alexander Palmo Simple PHP Blog 0.3.7 r2 |
Discussion
Simple PHP Blog Remote Directory Traversal Vulnerabilities
It is reported that Simple PHP Blog is susceptible to two remote directory traversal vulnerabilities. These issues are due to a failure of the application to properly sanitize user-supplied input data.
The first vulnerability reportedly allows remote attackers to retrieve the contents of arbitrary, potentially sensitive files located on the serving computer with the credentials of the affected server process.
The second vulnerability reportedly allows remote attackers to create directories in arbitrary locations on the serving computer with the credentials of the affected server process.
These vulnerabilities are reported to exist in version 0.3.7c of Simple PHP Blog. Other versions may also be affected.
It is reported that Simple PHP Blog is susceptible to two remote directory traversal vulnerabilities. These issues are due to a failure of the application to properly sanitize user-supplied input data.
The first vulnerability reportedly allows remote attackers to retrieve the contents of arbitrary, potentially sensitive files located on the serving computer with the credentials of the affected server process.
The second vulnerability reportedly allows remote attackers to create directories in arbitrary locations on the serving computer with the credentials of the affected server process.
These vulnerabilities are reported to exist in version 0.3.7c of Simple PHP Blog. Other versions may also be affected.
Exploit / POC
Simple PHP Blog Remote Directory Traversal Vulnerabilities
An exploit is not required.
An example URI for an HTTP GET request sufficient to exploit the first vulnerability:
http://www.example.com/sphpblog/comments.php?y=05&m=01&entry=../../../../../../../etc/X11/rgb
An example URI for an HTTP POST request sufficient to exploit the second vulnerability:
http://www.example.com/sphpblog/comment_add_cgi.php
This request requires POST data similar to the following to be included in the request:
entry=../../../createdir
An exploit is not required.
An example URI for an HTTP GET request sufficient to exploit the first vulnerability:
http://www.example.com/sphpblog/comments.php?y=05&m=01&entry=../../../../../../../etc/X11/rgb
An example URI for an HTTP POST request sufficient to exploit the second vulnerability:
http://www.example.com/sphpblog/comment_add_cgi.php
This request requires POST data similar to the following to be included in the request:
entry=../../../createdir
Solution / Fix
Simple PHP Blog Remote Directory Traversal Vulnerabilities
Solution:
The vendor has released a patch to address these issues:
Alexander Palmo Simple PHP Blog 0.3.7 c
Solution:
The vendor has released a patch to address these issues:
Alexander Palmo Simple PHP Blog 0.3.7 c
-
Alexander Palmo patches_0.3.7r2.tgz
http://www.bigevilbrain.com/sphpblog/development/files/patches_0.3.7r2 .tgz
References
Simple PHP Blog Remote Directory Traversal Vulnerabilities
References:
References:
- Another Patch (0.3.7r2) (Alexander Palmo)
- Simple PHP Blog Home Page (Alexander Palmo)
- Simple PHP Blog directory traversal vulnerability (Madelman
)