AlienForm2 CGI directory traversal

alienform2-directory-traversal (9325) The risk level is classified as MediumMedium Risk

Description:

AlienForm2 could allow a remote attacker to traverse directories on the Web server. A remote attacker could send a specially-crafted URL request containing modified "dot dot" sequences (such as .|.%2F) to traverse directories and read and modify arbitrary files on the server.


Consequences:

File Manipulation

Remedy:

No remedy available as of April 1, 2014.

References:

  • AlienForm2 Web site: AlienForm - a simple to use, fully configurable Form -> Email/Browser/File gateway! Jon's.
  • BugTraq Mailing List, Mon Jun 10 2002 - 16:18:53 CDT: AlienForm2 CGI script: arbitrary file read/write.
  • BID-4983: AlienForm2 Directory Traversal Vulnerability
  • CVE-2002-0934: Directory traversal vulnerability in Jon Hedley AlienForm2 (typically installed as af.cgi or alienform.cgi) allows remote attackers to read or modify arbitrary files via an illegal character in the middle of a .. (dot dot) sequence in the parameters (1) _browser_out or (2) _out_file.
  • OSVDB ID: 836: AlienForm2 alienform.cgi (af.cgi) Traversal Arbitrary File Manipulation

Platforms Affected:

  • Jon Hedley AlienForm2 1.5

Reported:

Jun 10, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page