OSVDB ID: 34506

Title: aBitWhizzy whizzylink.php d Variable Traversal Arbitrary Directory Listing

Info

Disclosure

Mar 27, 2007

Discovery

Mar 25, 2007

Dates

Exploit

Mar 25, 2007

Solution

Unknown

Description

aBitWhizzy contains a flaw that allows a remote attacker to directory listing outside of the web path. The issue is due to the whizzylink.php not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'd' variable.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality
Exploit: Exploit Public
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

Unverse.net

aBitWhizzy

Unknown or Unspecified

References

CVE ID: 2007-1773 (see also: NVD)
Bugtraq ID: 23167
Secunia Advisory ID: 24679
ISS X-Force ID: 33277
Related OSVDB ID: 34505 34507
VUPEN Advisory: ADV-2007-1136
Generic Exploit URL: http://downloads.securityfocus.com/vulnerabilities/exploits/23167.html
Other Advisory URL: http://lostmon.blogspot.com/2007/03/abitwhizzy-traversal-folder-enumeration.html
Vendor URL: http://www.unverse.net/abitwhizzy/

Credit

Lostmon Lords - Lostmongmail.com -

Direct URL: http://osvdb.org/34506