Ziggurrat Farsi CMS 'bck' Parameter Directory Traversal Vulnerability

Bugtraq ID:	39534
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Apr 15 2010 12:00AM
Updated:	Apr 15 2010 12:00AM
Credit:	Pouya Daneshmand
Vulnerable:	Tagfa Ziggurat Farsi CMS 0
Not Vulnerable:

Ziggurrat Farsi CMS 'bck' Parameter Directory Traversal Vulnerability

Ziggurat Farsi CMS is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue will allow an attacker to view arbitrary files within the context of the application. Information harvested may aid in launching further attacks.

Ziggurrat Farsi CMS 'bck' Parameter Directory Traversal Vulnerability

An attacker can use a web browser to exploit this issue.

The following example URI is available:

http://www.example.com/manager/backup.asp?bck=./../file.asp

Ziggurrat Farsi CMS 'bck' Parameter Directory Traversal Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Ziggurrat Farsi CMS 'bck' Parameter Directory Traversal Vulnerability

References:

• Ziggurat Farsi CMS Homepage (Tagfa)
  
• Ziggurat CMS Multiple Vulnerabilities [email protected] Message ([email protected])