TUCoPS :: Web BBS :: etc :: hack0052.htm

Neoboard Remote arbitrary file retrieving
ZH2004-02SA (security advisory): PJ CGI Neo review (NeoBoard review) Remote arbitrary file retrieving



ZH2004-02SA (security advisory): PJ CGI Neo review (NeoBoard review) Remote arbitrary file retrieving



Published: 29 january 2004



Released: 29 january 2004



Name: PJ CGI Neo review (NeoBoard review)



Affected Systems: Current version



Issue: Remote file retrieving



Author: Zone-h Security Labs



Vendor: http://www.livepj.com 





Description



***********



Zone-h Security Team has discovered a flaw in PJ CGI Neo review (NeoBoard review). There is a vulnerability in the current version of NeoBoard that allows an attacker to retrieve arbitrary files from the webserver with its priviledges.







Details



******* 





It's possibile for a remote attacker to retrieve any file from a webserver. 



For example try this:



http://address/directory/PJreview_Neo.cgi?p=/../../../../../../../../../../../.. /../../../../etc/passwd









Solution:



*********



The vendor has not been contacted because his site is unreachable.





http://www.zone-h.org/advisories/read/id=3824 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH