STG Security Advisory: [SSA-20041122-10] KorWeblog directory traversal vulnerability
STG Security Advisory: [SSA-20041122-10] KorWeblog directory traversal
vulnerability
Revision 1.3
Date Published: 2004-11-22 (KST)
Last Update: 2004-11-22
Disclosed by SSR Team (advisory@xxxxxxxxxxxxxxx)
Summary
========
KorWeblog is a weblog application used by many Korean Linux users.
It has a directory traversal vulnerability that malicious attackers can get
file lists of arbitrary directories.
Vendor URL
==========
http://weblog.kldp.org
Vulnerability Class
===================
Implementation Error: Input validation flaw
Details
=======
KorWeblog has a function to insert image icons when users post replies. This
function is implemented in viewimg.php.
It doesn't check user input correctly, so malicious attackers can modify
$path variable and can get file lists of a target directory.
http://[victim]/viewimg.php?path=images.d/face/../../../../../../../&form=Co
m&var=faceicon
Impact
======
Medium: Information disclosure
Workaround
==========
please download and apply viewimg.diff from
http://kldp.net/tracker/index.php?func=detail&aid=300515&group_id=13&atid=30
0013
--- viewimg-org.php 2004-09-21 13:08:15.000000000 +0900
+++ viewimg.php 2004-09-21 13:08:44.000000000 +0900
@@ -63,13 +63,13 @@
<TABLE BORDER="0" CELLSPACING="3" CELLPADDING="5" ALIGN="CENTER">
<TR>
<?
-$img_file = KWL_GetFileName("$CONF[G_PATH]/$path");
+$img_file = KWL_GetFileName("$CONF[G_PATH]/images.d/face");
$x = 0;
if (is_array($img_file)) {
foreach($img_file as $img) {
if (isset($fix)) $tmp = "$path/$img";
else $tmp = $img;
- echo "<TD ALIGN=CENTER><A HREF=\"javascript:pick('$tmp')\"><IMG
SRC=\"$CONF[G_URL]/$path/$img\" BORDER=\"0\" VSPACE=\"5\" HSPACE=\"5\"
ALT=\"$img\"></A>\n";
+ echo "<TD ALIGN=CENTER><A HREF=\"javascript:pick('$tmp')\"><IMG
SRC=\"$CONF[G_URL]/images.d/face/$img\" BORDER=\"0\" VSPACE=\"5\"
HSPACE=\"5\" ALT=\"$img\"></A>\n";
$x++;
if ($x==7 || isset($br)) { echo "</TR><TR>\n"; $x=0; }
}
Affected Products
================
KorWeblog 1.6.2-cvs and prior
Vendor Status: NOT FIXED
=======================
2004-09-20 Vulnerability found.
2004-09-21 KorWeblog developer notified but didn't reply.
2004-09-21 Jeremy Bae made and submitted a patch.
2004-11-22 Official release.
Credits
======
Jeremy Bae at STG Security