Info

Disclosure

Aug 28, 2006

Discovery

Jul 04, 2006

Dates

Exploit

Aug 28, 2006

Solution

Unknown

Description

Share360 contains a flaw that allows a remote attacker to retrieve files from the file cabinet or retrieve attachments from a received message or memo. The issue is due to the s360.exe script not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'id' variable.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
OSVDB: Web Related

Solution

Upgrade to version 2.5 (Build 0.3) or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Cybozu

Share360

2.5 (Build 0.2 20050121115231)

References

CVE ID: 2006-4490 (see also: NVD)
Secunia Advisory ID: 21618
Milw0rm: 2266
Exploit Database: 2266
Vendor URL: http://cybozu.co.jp/
Vendor Specific Advisory URL: http://cybozu.co.jp/products/dl/notice_060825/
Other Advisory URL: http://vuln.sg/cybozu-en.html

Credit

Tan Chew Keong - vulnsecunia.com - Secunia Research

Direct URL: http://osvdb.org/28261