| VID |
21668 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Jaws software is vulnerable to remote file inclusion vulnerability. Jaws is a Framework and Content Management System for building dynamic web sites, written in PHP. Jaws version 0.5.2 and possibly earlier versions are vulnerable to a directory traversal vulnerability, caused by improper validation of user-supplied input in the path parameter in the gadgets/Blog/BlogModel.php script. If the register_globals is enabled, a remote attacker could send a specially-crafted URL request including "/../" (dot dot) sequences in the path parameter of the 'gadgets/Blog/BlogModel.php' script to read arbitrary files outside of the document root directory.
* References:
http://www.hardened-php.net/advisory-072005.php
http://marc.theaimsgroup.com/?l=bugtraq&m=112067013827970&w=2
* Platforms Affected:
Jaws version 0.5.2 and possibly earlier versions
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Jaws (0.5.3 or later), available from the Jaws Web site at http://www.jaws.com
As a workaround, ensure the register_globals is set to off. |
| Related URL |
CVE-2005-2179 (CVE) |
| Related URL |
14158 (SecurityFocus) |
| Related URL |
21247 (ISS) |
|
