OSVDB ID: 94856

Title: Softaculous index.live.php download Parameter Traversal Arbitrary File Access

Info

Disclosure

May 06, 2013

Discovery

Unknown

Dates

Exploit

May 06, 2013

Solution

May 06, 2013

Description

Softaculous contains a flaw that allows an attacker to traverse outside of a restricted path. The issue is due to the index.live.php script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'download' parameter. This directory traversal attack would allow a remote attacker to gain access to arbitrary files.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Confidentiality
Solution: Upgrade
Exploit: Exploit Public
Disclosure: Vendor Verified, Coordinated Disclosure
OSVDB: Authentication Required, Web Related

Solution

It has been reported that this issue has been fixed. Upgrade to version 4.2.3, or higher, to address this vulnerability.

Products

Softaculous Ltd.

Softaculous

4.2.2

References

Credit

Unknown or Incomplete



Direct URL: http://osvdb.org/94856