FarsiNews index.php directory traversal

farsinews-index-directory-traversal (24602)

Medium Risk

Description:

FarsiNews could allow a remote attacker to traverse directories on the server and obtain sensitive information. A remote attacker could send a specially-crafted request to the index.php script containing "dot dot" sequences (/../) in the 'archive' parameter and ending with a NULL byte character (%00) to traverse directories and view any known file on the system.

Note: It is also possible to exploit this vulnerability to trigger an error message containing the full installation path.

Platforms Affected:

• FarsiNews, FarsiNews 2.5 and prior

Remedy:

Upgrade to the current version of FarsiNews (version 2.5.3 or later) available from the FarsiNews Download page. See References.

Consequences:

Gain Access

References:

• BugTraq Mailing List, Fri Apr 14 2006 - 06:54:07 CDT, Farsinews Cross-Site Scripting & Path disclosure vulnerability at http://archives.neohapsis.com/archives/bugtraq/2006-04/0277.html.
• BugTraq Mailing List, Tue Feb 28 2006 - 07:16:24 CST, FarsiNews 2.5Pro Exploit at http://archives.neohapsis.com/archives/bugtraq/2006-02/0534.html.
• FarsiNews Web site, FarsiNews at http://www.farsinewsteam.com. (This site is is Persian.)
• FarsiNews Web site, FarsiNews Download page at http://www.farsinewsteam.com/download,10101111100011100001100100.11000001000110001100100111. (This site is is Persian.)
• Hamid Network Security Team, FarsiNews 2.5 Multiple Vulnerabilities at http://www.hamid.ir/security/farsinews2-5.txt. (Original advisory.)
• BID-16580: FarsiNews Directory Traversal and Local File Include Vulnerabilities
• CVE-2006-0660: Multiple directory traversal vulnerabilities in FarsiNews 2.5 and earlier allows remote attackers to (1) read arbitrary files or trigger an error message path disclosure via .. or invalid names in the archive parameter to index.php, or (2) include arbitrary files via the template parameter to show_archives.php.
• CVE-2006-1823: Directory traversal vulnerability in FarsiNews 2.5.3 Pro and earlier allows remote attackers to obtain the installation path via .. sequences in the archive parameter to index.php, which leaks the full pathname in an error message.
• OSVDB ID: 23020: FarsiNews index.php Malformed archive Variable Path Disclosure
• OSVDB ID: 23021: FarsiNews index.php archive Variable Traversal Arbitrary File Access
• OSVDB ID: 23022: FarsiNews show_archives.php template Variable Traversal Arbitrary File Access
• SA18768: FarsiNews Local File Inclusion Vulnerabilities
• SA19648: FarsiNews Multiple Cross-Site Scripting Vulnerabilities
• SECTRACK ID: 1015943: FarsiNews Input Validation Hole in `search.php` Permits Cross-Site Scripting Attacks
• VUPEN/ADV-2006-0506: FarsiNews archive and template Local File Inclusion Vulnerabilities
• VUPEN/ADV-2006-1411: FarsiNews Variable Handling Cross Site Scripting and Full Path Disclosure Issues

Reported:

Feb 10, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page