[Full-Disclosure] ByteHoard Directory Traversal Vulnerability

From: Sintelli SINTRAQ (sintraq_at_sintelli.com)
Date: 10/19/03

  • Next message: Aviram Jenik: "[Full-Disclosure] Multiple SQL Injection Vulnerabilities in DeskPRO"
    To: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com
    Date: Sun, 19 Oct 2003 20:16:29 +0100

    ByteHoard Directory Traversal Vulnerability
    17 October 2003

    Original Advisory

    ByteHoard is online storage system whereby users can upload and download
    their files from anywhere with an Internet connection.

    More information about the product is available here:

    ByteHoard does not properly validate user-supplied input for URL
    requests. This allows directory traversal characters to be added to URL
    request and thus allows directory traversal.

    An example is:

    It is possible for an attacker to view all files on the system.

    Versions affected
    Version 0.7

    Upgrade to version 0.71

    Tar version

    Zip version

    Vulnerability History
    16 Oct 2003 Identified by Ezhilan of Sintelli
    17 Oct 2003 Issue disclosed to ByteHoard developer (Andrew Godwin)
    17 Oct 2003 Vulnerability confirmed by Andrew Godwin
    17 Oct 2003 Sintelli provided with fix
    17 Oct 2003 Sintelli confirms vulnerability has been addressed
    17 Oct 2003 Fix publicly available
    17 Oct 2003 Sintelli Public Disclosure

    Ezhilan of Sintelli discovered this vulnerability.

    About Sintelli:
    Sintelli is the world’s largest provider of security intelligence
    solutions. Sintelli is the definitive source for IT Security
    intelligence and is a provider of third generation intelligence security

    Request a free trial of our alerting solution by clicking here

    Copyright 2003 Sintelli Limited. All rights reserved. www.sintelli.com

    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Aviram Jenik: "[Full-Disclosure] Multiple SQL Injection Vulnerabilities in DeskPRO"

    Relevant Pages