Info

Disclosure

May 07, 2007

Discovery

Unknown

Dates

Exploit

May 07, 2007

Solution

Unknown

Description

Advanced Guestbook contains a flaw that allows a remote attacker to view arbitrary files on the system outside of the web path. The issue is due to the 'index.php' not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'lang' cookie parameter.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Exploit: Exploit Public
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

Unknown or Incomplete

References

CVE ID: 2007-0609 (see also: NVD)
Bugtraq ID: 23876
Secunia Advisory ID: 25153
ISS X-Force ID: 34152
VUPEN Advisory: ADV-2007-1726
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-05/0099.html
http://www.securityfocus.com/archive/1/archive/1/467937/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/467941/100/0/threaded
Other Advisory URL: http://securityreason.com/securityalert/2662
http://www.netvigilance.com/advisory0011
http://www.netvigilance.com/advisory0012
http://www.netvigilance.com/advisory0013

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/33879