Weatimages 'index.php' Information Disclosure Vulnerability
BID:40182
Info
Weatimages 'index.php' Information Disclosure Vulnerability
| Bugtraq ID: | 40182 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Dec 31 2009 12:00AM |
| Updated: | Dec 31 2009 12:00AM |
| Credit: | e.wiZz! |
| Vulnerable: |
Vladimir Nazarkin Weatimages 1.7.2 |
| Not Vulnerable: | |
Discussion
Weatimages 'index.php' Information Disclosure Vulnerability
Weatimages is prone to an information-disclosure vulnerability.
This issue can be exploited to list the content of parent directories through directory traversal sequences, allowing attackers to gain access to potentially sensitive information on the vulnerable server; other attacks may also be possible.
Weatimages 1.7.2 is vulnerable; other versions may also be affected.
Weatimages is prone to an information-disclosure vulnerability.
This issue can be exploited to list the content of parent directories through directory traversal sequences, allowing attackers to gain access to potentially sensitive information on the vulnerable server; other attacks may also be possible.
Weatimages 1.7.2 is vulnerable; other versions may also be affected.
Exploit / POC
Weatimages 'index.php' Information Disclosure Vulnerability
An attacker can carry out this attack using readily available network utilities.
The following example URIs are available:
http://www.example.com/index.php?path=../
http://www.example.com/index.php?path=../..
http://www.example.com/index.php?path=..\anything
An attacker can carry out this attack using readily available network utilities.
The following example URIs are available:
http://www.example.com/index.php?path=../
http://www.example.com/index.php?path=../..
http://www.example.com/index.php?path=..\anything
Solution / Fix
Weatimages 'index.php' Information Disclosure Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
Weatimages 'index.php' Information Disclosure Vulnerability
References:
References:
- Weatimages Homepage (Vladimir Nazarkin)