• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

ACD CwpAPI Relative Path Validation Vulnerability

CwpAPI is a collection of PHP libraries designed to allow the easy creation of secure web programs.

The function GetRelativePath is designed to ensure the return value is within the web root directory, but does not properly check all paths.

If a program was constructed to rely on this security feature, it is possible it would be vulnerable to an attack. For example, it might be possible to read or write to files outside of the web root, if no additional permission checks or validation are performed.