| VID |
21456 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The TECH-NOTE has a 'print.cgi' script File Disclosure Vulnerability.
TECH-NOTE (Technote) is a popular Korean bulletin board software for Web sites. TECH-NOTE 2000, 2001, and PRO could allow a remote attacker to traverse directories on the Web server, caused by a failure of the application to properly validate user-supplied input when calling the open function in the 'print.cgi' script. By sending a specially-crafted URL containing "dot dot" sequences (/../) in the 'board' parameter, a remote attacker could traverse directories and read files on the Web server.
* References:
http://www.securityfocus.com/archive/1/153007
http://beyonce.beyondsecurity.com/unixfocus/5ZP061535O.html
* Platforms Affected:
TECH-NOTE Inc., TECH-NOTE 2000
TECH-NOTE Inc., TECH-NOTE 2001
TECH-NOTE Inc., TECH-NOTE Pro
Linux Any version
Unix Any version |
| Recommendation |
Apply to the patch for this problem as listed in the TECH-NOTE Web Site at http://www.technote.co.kr/cgi-sys/cgiwrap/cgitour/techtop/technote2/read.cgi?board=notice
1. Open the source file 'technote/print.cgi' and find the code '&parse;' line.
2. Insert the code 'exit if($FORM{'img'}=~/\;|\%|\\|\.\.|\||\//);' into the next line. |
| Related URL |
CVE-2001-0074 (CVE) |
| Related URL |
2155 (SecurityFocus) |
| Related URL |
5815 (ISS) |
|
