| VID |
21232 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
Cross-Referencing Linux has a directory traversal vulnerability.
Cross-Referencing Linux, as known as LXR, allow normal users to read all linux kernel source using a web browser. The application is written using Perl language, and convert to HTML all linux kernel sources. For more information visit the project's official website on http://lxr.linux.nu .
add %00 at the end of 'v'.
A directory traversal vulnerability in the CGI 'source' in the Cross-Referencing Linux allows a remote attacker to read arbitrary files on the web server via a .. (dot dot) attack on the "v" parameter.
If the attacker set the "v" parameter field to something like:
http://vulnerable/source?v=../../../../../../../etc/password%00
Cross-Referencing Linux will open and display the password file.
* References:
http://www.securityfocus.com/archive/1/314613
* Affected Software:
Cross-Referencing Linux Version 0.9.2 or prior |
| Recommendation |
Remove the CGI from the CGI-BIN directory until a patch for this flaw will be released. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
