SIX-webboard does not adequately validate user input thereby permitting directory traversal

Overview

SIX-webboard does not adequately validate user input, allowing directory traversal.

Description

SIX-webboard 2.01 does not adequately validate the “content” CGI variable, allowing directory traversal out of SIX-webboard’s content root directory. Attackers may exploit this vulnerability to read any file on the server with privileges of the web server process.

---

Impact

Attackers may read any file on the server with privileges of the web server process.

---

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

---

Vendor Information

494307

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Sixhead Affected

Updated: September 25, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23494307 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

<http://www.securityfocus.com/bid/3175&gt;

Acknowledgements

Thanks to Hannibal Lector for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs:	CVE-2001-1115
Severity Metric:	1.71 Date Public: