Webgrind 'file' Parameter Directory Traversal Vulnerability

Bugtraq ID:	52644
Class:	Input Validation Error
CVE:	CVE-2012-1790
Remote:	Yes
Local:	No
Published:	Feb 25 2012 12:00AM
Updated:	Feb 25 2012 12:00AM
Credit:	Michael Meyer
Vulnerable:	webgrind webgrind 1.0.2 webgrind webgrind 1.0
Not Vulnerable:

Webgrind 'file' Parameter Directory Traversal Vulnerability

Webgrind is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.

Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application.

Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks.

The following versions of Webgrind are affected:
1.0
1.0.2

Webgrind 'file' Parameter Directory Traversal Vulnerability

An attacker can exploit the issue through a browser.

Webgrind 'file' Parameter Directory Traversal Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].

Webgrind 'file' Parameter Directory Traversal Vulnerability

References:

• webgrind 1.0 (file param) Local File Inclusion Vulnerability (Michael Meyer)
  
• webgrind Homepage (webgrind)