CGI Script Center Auction Weaver Directory Traversal Vulnerability

It is possible to view the contents of any known file residing on a system running CGI Script Center Auction Weaver. For example:

http://target/cgi-bin/awl/auctionweaver.pl?flag1=1&catdir=\..\..\&fromfile=file.ext

will allow a remote user, regardless of privilege level to read the file specified.


 

Privacy Statement
Copyright 2010, SecurityFocus