all files or just the contents of a folder? ----- Original Message ----- From: "Sintelli SINTRAQ" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, October 20, 2003 8:16 AM Subject: [Full-Disclosure] ByteHoard Directory Traversal Vulnerability
> ByteHoard Directory Traversal Vulnerability > 17 October 2003 > > Original Advisory > http://www.sintelli.com/adv/sa-2003-03-bytehoard.pdf > > Background > ByteHoard is online storage system whereby users can upload and download > their files from anywhere with an Internet connection. > > More information about the product is available here: > http://bytehoard.sourceforge.net/index.php?about > > Description > ByteHoard does not properly validate user-supplied input for URL > requests. This allows directory traversal characters to be added to URL > request and thus allows directory traversal. > > An example is: > http://victim.com/bytehoard/index.php?infolder=../../../../ > > Impact > It is possible for an attacker to view all files on the system. > > Versions affected > Version 0.7 > > Solution > Upgrade to version 0.71 > > Tar version > http://prdownloads.sourceforge.net/bytehoard/bytehoard_point_seven_one.tar > gz?download > > Zip version > http://prdownloads.sourceforge.net/bytehoard/bytehoard_point_seven_one.zip > ?download > > > Vulnerability History > 16 Oct 2003 Identified by Ezhilan of Sintelli > 17 Oct 2003 Issue disclosed to ByteHoard developer (Andrew Godwin) > 17 Oct 2003 Vulnerability confirmed by Andrew Godwin > 17 Oct 2003 Sintelli provided with fix > 17 Oct 2003 Sintelli confirms vulnerability has been addressed > 17 Oct 2003 Fix publicly available > 17 Oct 2003 Sintelli Public Disclosure > > Credit > Ezhilan of Sintelli discovered this vulnerability. > > About Sintelli: > Sintelli is the world's largest provider of security intelligence > solutions. Sintelli is the definitive source for IT Security > intelligence and is a provider of third generation intelligence security > solutions. > > Request a free trial of our alerting solution by clicking here > http://www.sintelli.com/free-trial.htm > > Copyright 2003 Sintelli Limited. All rights reserved. www.sintelli.com > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
