Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Beta Programs
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
BugTraq
Back to list
|
Post reply
Bugs fixed in Version 1.4.3
Aug 22 2004 05:56PM
Joxean Koret (joxeankoret yahoo es)
In-Reply-To: <20040820225036.17877.qmail (at) www.securityfocus (dot) com [email concealed]>
>B. Unspecified File Download Vulnerability
>
>B1. An error in the MyDMS software allows to a
>registered users (and only to
>registered users) to download any file, such
>as /etc/passwd, by inserting in a
>parameter a text such as ../../../../../etc/passwd.
>Contact:
The author has released a new version (1.4.3)
that solves the problem avoid arbitrary file
download.
Problem Description :
~~~~~~~~~~~~~~~~~
When do you want to download any file stored in
MyDMS internally calls to a PHP script (called
op.ViewOnline.php).
The Parameter 'request' of this script is a field
with 3 parts, separated by the ':' char.
The first part is the DocumentID (DocumentID in
database). The second part is the Document
Version. The thirst part is the document name.
I don't know why the author uses the thirst part
(the document name), because he has the
DocumentID to retrieve it (or it's name) from the
MySQL Database server.
The problem is the following : If you change the
document name with, in
example, ../../../../../etc/passwd, you will download
the file /etc/passwd from the Web Server.
To try the vulnerability follow these steps :
1.- Login in to MyDMS
2.- Enter the following URL in your browser :
http://<site-with-mydms>/mydms/op/op.ViewOnline.php?request=4:6:/../../.
./../../../../../../../../../etc/passwd
Where '4' is the document id and '6' is the
document version.
You need to known a valid document id and a
valid document version as well as you need an
account in the MyDMS system, but an user with
this data may download any file that he/she
wants.
Bye
[ reply ]
Privacy Statement
Copyright 2009, SecurityFocus
>B. Unspecified File Download Vulnerability
>
>B1. An error in the MyDMS software allows to a
>registered users (and only to
>registered users) to download any file, such
>as /etc/passwd, by inserting in a
>parameter a text such as ../../../../../etc/passwd.
>Contact:
The author has released a new version (1.4.3)
that solves the problem avoid arbitrary file
download.
Problem Description :
~~~~~~~~~~~~~~~~~
When do you want to download any file stored in
MyDMS internally calls to a PHP script (called
op.ViewOnline.php).
The Parameter 'request' of this script is a field
with 3 parts, separated by the ':' char.
The first part is the DocumentID (DocumentID in
database). The second part is the Document
Version. The thirst part is the document name.
I don't know why the author uses the thirst part
(the document name), because he has the
DocumentID to retrieve it (or it's name) from the
MySQL Database server.
The problem is the following : If you change the
document name with, in
example, ../../../../../etc/passwd, you will download
the file /etc/passwd from the Web Server.
To try the vulnerability follow these steps :
1.- Login in to MyDMS
2.- Enter the following URL in your browser :
http://<site-with-mydms>/mydms/op/op.ViewOnline.php?request=4:6:/../../.
./../../../../../../../../../etc/passwd
Where '4' is the document id and '6' is the
document version.
You need to known a valid document id and a
valid document version as well as you need an
account in the MyDMS system, but an user with
this data may download any file that he/she
wants.
Bye
[ reply ]