The program by default has some checks to avoid malicious patterns
like "/../" into http requests, but it doesn't manage patterns like:
"\..\", "../" or "/.../".
So an attacker is able to see and download all the files on the remote
system simply using a browser.
Donato Ferrante
Application: FastStone 4in1 Browser
http://www.faststone.org
Version: 1.2
Bug: directory traversal
Date: 29-Mar-2005
Author: Donato Ferrante
e-mail: fdonato (at) autistici (dot) org [email concealed]
web: www.autistici.org/fdonato
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Description
2. The bug
3. The code
4. The fix
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----------------
1. Description:
----------------
Vendor's Description:
"A FREE multi-window Web Browser with a built-in Web Server."
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
2. The bug:
------------
The program by default has some checks to avoid malicious patterns
like "/../" into http requests, but it doesn't manage patterns like:
"\..\", "../" or "/.../".
So an attacker is able to see and download all the files on the remote
system simply using a browser.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
3. The code:
-------------
To test the vulnerability:
http://[host]/.../.../.../.../.../.../windows/system.ini
or:
http://[host]/..\..\..\..\..\..\..\..\windows/system.ini
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
4. The fix:
------------
Vendor was contacted.
Bug fixed in the version 1.3.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[ reply ]