Zone-h Security Team has discovered a flaw in PJ CGI Neo review (NeoBoard review). There is a vulnerability in the current version of NeoBoard that allows an attacker to retrieve arbitrary files from the webserver with its priviledges.
Details
*******
It's possibile for a remote attacker to retrieve any file from a webserver.
ZH2004-02SA (security advisory): PJ CGI Neo review (NeoBoard review) Remote arbitrary file retrieving
Published: 29 january 2004
Released: 29 january 2004
Name: PJ CGI Neo review (NeoBoard review)
Affected Systems: Current version
Issue: Remote file retrieving
Author: Zone-h Security Labs
Vendor: http://www.livepj.com
Description
***********
Zone-h Security Team has discovered a flaw in PJ CGI Neo review (NeoBoard review). There is a vulnerability in the current version of NeoBoard that allows an attacker to retrieve arbitrary files from the webserver with its priviledges.
Details
*******
It's possibile for a remote attacker to retrieve any file from a webserver.
For example try this:
http://address/directory/PJreview_Neo.cgi?p=/../../../../../../../../../
../../../../../../../etc/passwd
Solution:
*********
The vendor has not been contacted because his site is unreachable.
http://www.zone-h.org/advisories/read/id=3824
[ reply ]