Info

Disclosure

Oct 28, 2005

Discovery

Unknown

Dates

Exploit

Oct 28, 2005

Solution

Unknown

Description

GNUMP3d contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the program not properly sanitizing user input, specifically traversal style attacks (../../).

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Confidentiality
Exploit: Exploit Public
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 2.9.6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

GNU

GNUMP3d

2.9.3

References

Security Tracker: 1015118
Bugtraq ID: 15228
Secunia Advisory ID: 17351 17355 17831
CVE ID: 2005-3123 (see also: NVD)
Related OSVDB ID: 20359 20723
Keyword: DSA-877-1
Other Advisory URL: http://lists.suse.com/archive/suse-security-announce/2005-Dec/0001.html
http://www.debian.org/security/2005/dsa-877
Vendor URL: http://www.gnu.org/software/gnump3d/

Credit

Steve Kemp -

Direct URL: http://osvdb.org/20360