| VID |
21407 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Anaconda Foundation Directory program has a directory traversal vulnerability via the apexec.pl script.
Anaconda Foundation Directory is a Yahoo style search engine that allows Web site operators to integrate content into their own Web site's theme. Some Anaconda Foundation Directory versions allow a remote attacker to access arbitrary files outside of the web root directory, caused by a failure of the application to properly sanitizing user input in the 'apexec.pl' script. By sending a request containing "dot dot" sequences (/../) followed by the file extension (%00.html), a remote attacker could traverse directories and read arbitrary file on the Web server.
* References:
http://www.osvdb.org/displayvuln.php?osvdb_id=435
* Platforms Affected:
Anaconda Foundation Directory Any version
Linux Any version
Unix Any version |
| Recommendation |
No upgrade or patch available as of June 2014.
Upgrade to the new version of Anaconda Foundation Directory, when new version fixed this problem becomes available from the Anaconda Partners LLC. Web Site at http://www.anaconda.net/ |
| Related URL |
CVE-2000-0975 (CVE) |
| Related URL |
2338 (SecurityFocus) |
| Related URL |
5750 (ISS) |
|
