OSVDB ID: 85310

Title: FlatnuX CMS controlcenter.php contents/Files Action dir Parameter Traversal Arbitrary File Access

Info

Disclosure

Apr 01, 2012

Discovery

Unknown

Dates

Exploit

Apr 01, 2012

Solution

Unknown

Description

FlatnuX CMS contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the controlcenter.php script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'dir' parameter of the contents/Files action. This directory traversal attack would allow the attacker to gain access to arbitrary files.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Solution: Solution Unknown
Exploit: Exploit Public
Disclosure: Uncoordinated Disclosure
OSVDB: Web Related

Solution

OSVDB is not aware of a solution for this vulnerability.

Products

FlatnuX

FlatnuX CMS

08.09.2

References

CVE ID: 2012-4878 (see also: NVD)
Bugtraq ID: 52846
ISS X-Force ID: 74568
Packet Storm: http://packetstormsecurity.org/files/111473/Flatnux-CMS-2011-08.09.2-CSRF-XSS-Directory-Traversal.html
Other Advisory URL: http://www.vulnerability-lab.com/get_content.php?id=487

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/85310