Full path disclosure csFAQ

• Previous message: Ross M. W. Bennetts: "RE: Caveat Lector: Beastie Boys Evil"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: bugtraq@securityfocus.com
Date: Sun, 27 Jun 2004 17:43:29 -0700

http://www.swp-zone.org/archivos/advisory-08.txt

-------------------------------------------------------------------------------------------------

                            :.: Full path disclosure csFAQ :.:

  PROGRAM: csFAQ
  HOMEPAGE: http://www.cgiscript.net/
  BUG: Full path disclosure
  DATE: 23/05/2004
  AUTHOR: DarkBicho
          web: http://www.darkbicho.tk
          team: Security Wari Proyects <www.swp-zone.org>
          Email: darkbicho@peru.com

-------------------------------------------------------------------------------------------------

1.- Affected software description:
    ------------------------------
    csFAQ An automated system for displaying FAQs (frequently asked
    questions) written by
    CGI Scripts.

2.- Description:
    ------------
    This vulnerability would allow a remote user to determine the full
    path to the web root directory and other potentially sensitive
    information.

    :.: Examples:

    http://www.attack.com/cgi-script/csFAQ/csFAQ.cgi?command=viewFAQ&database=/.darkbicho

    /www/attack/cgi-script/csFAQ//%2f%2edarkbicho
    Content-type: text/html
    Software error:
    1 at csFAQ.cgi line 1117.

3.- SOLUTION:
     จจจจจจจจ
    Vendors were contacted many weeks ago and plan to release a fixed
    version soon.
    Check the PHP-NUKE website for updates and official release details.

4.- Greetings:
    ---------

    greetings to my Peruvian group swp, perunderforce and machado ;)
    "EL PISCO ES Y SERA PERUANO"

5.- Contact
    -------

    WEB: http://www.darkbicho.tk
    EMAIL: darkbicho@peru.com
  
-------------------------------------------------------------------------------------------------
                                ___________ ____________
                               / _____/ \ / \______ \
                               \____ \\ \/\/ /| ___/
                              / \\ / | |
                             /_____ __ / \__/\ / |____|
                             \/ \/
                                Security Wari Projects
                                  (c) 2002 - 2004
                                    Made in Peru

----------------------------------------[ EOF
]----------------------------------------------
 
  
  
DarkBicho
Web: http://www.darkbicho.tk
"Mi unico delito es ver lo que otros no pueden ver"

---------------------- The End ----------------------

• Previous message: Ross M. W. Bennetts: "RE: Caveat Lector: Beastie Boys Evil"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]