STG Security Advisory: [SSA-20041122-10] KorWeblog directory traversal vulnerability

advisory_at_stgsecurity.com
Date: 11/24/04

  • Next message: Florian Laws: "Re: Incorrect reporting of the Bofra/The Register exploit"
    Date: 24 Nov 2004 02:59:37 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    STG Security Advisory: [SSA-20041122-10] KorWeblog directory traversal
    vulnerability

    Revision 1.3
    Date Published: 2004-11-22 (KST)
    Last Update: 2004-11-22
    Disclosed by SSR Team (advisory@stgsecurity.com)

    Summary
    ========
    KorWeblog is a weblog application used by many Korean Linux users.

    It has a directory traversal vulnerability that malicious attackers can get
    file lists of arbitrary directories.

    Vendor URL
    ==========
    http://weblog.kldp.org

    Vulnerability Class
    ===================
    Implementation Error: Input validation flaw

    Details
    =======
    KorWeblog has a function to insert image icons when users post replies. This
    function is implemented in viewimg.php.
    It doesn't check user input correctly, so malicious attackers can modify
    $path variable and can get file lists of a target directory.

    http://[victim]/viewimg.php?path=images.d/face/../../../../../../../&form=Co
    m&var=faceicon

    Impact
    ======
    Medium: Information disclosure

    Workaround
    ==========
    please download and apply viewimg.diff from
    http://kldp.net/tracker/index.php?func=detail&aid=300515&group_id=13&atid=30
    0013

    --- viewimg-org.php 2004-09-21 13:08:15.000000000 +0900
    +++ viewimg.php 2004-09-21 13:08:44.000000000 +0900
    @@ -63,13 +63,13 @@
     <TABLE BORDER="0" CELLSPACING="3" CELLPADDING="5" ALIGN="CENTER">
     <TR>
     <?
    -$img_file = KWL_GetFileName("$CONF[G_PATH]/$path");
    +$img_file = KWL_GetFileName("$CONF[G_PATH]/images.d/face");
     $x = 0;
     if (is_array($img_file)) {
             foreach($img_file as $img) {
                     if (isset($fix)) $tmp = "$path/$img";
                     else $tmp = $img;
    - echo "<TD ALIGN=CENTER><A HREF=\"javascript:pick('$tmp')\"><IMG
    SRC=\"$CONF[G_URL]/$path/$img\" BORDER=\"0\" VSPACE=\"5\" HSPACE=\"5\"
    ALT=\"$img\"></A>\n";
    + echo "<TD ALIGN=CENTER><A HREF=\"javascript:pick('$tmp')\"><IMG
    SRC=\"$CONF[G_URL]/images.d/face/$img\" BORDER=\"0\" VSPACE=\"5\"
    HSPACE=\"5\" ALT=\"$img\"></A>\n";
                     $x++;
                     if ($x==7 || isset($br)) { echo "</TR><TR>\n"; $x=0; }
             }

    Affected Products
    ================
    KorWeblog 1.6.2-cvs and prior

    Vendor Status: NOT FIXED
    =======================
    2004-09-20 Vulnerability found.
    2004-09-21 KorWeblog developer notified but didn't reply.
    2004-09-21 Jeremy Bae made and submitted a patch.
    2004-11-22 Official release.

    Credits
    ======
    Jeremy Bae at STG Security


  • Next message: Florian Laws: "Re: Incorrect reporting of the Bofra/The Register exploit"

    Relevant Pages