-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

STG Security Advisory: [SSA-20041122-10] KorWeblog directory traversal
vulnerability

Revision 1.3
Date Published: 2004-11-22 (KST)
Last Update: 2004-11-22
Disclosed by SSR Team (advisory@stgsecurity.com)

Summary
========
KorWeblog is a weblog application used by many Korean Linux users.

It has a directory traversal vulnerability that malicious attackers can get
file lists of arbitrary directories.

Vendor URL
==========
http://weblog.kldp.org

Vulnerability Class
===================
Implementation Error: Input validation flaw

Details
=======
KorWeblog has a function to insert image icons when users post replies. This
function is implemented in viewimg.php.
It doesn't check user input correctly, so malicious attackers can modify
$path variable and can get file lists of a target directory.

http://[victim]/viewimg.php?path=images.d/face/../../../../../../../&form=Co
m&var=faceicon

Impact
======
Medium: Information disclosure

Workaround
==========
please download and apply viewimg.diff from
http://kldp.net/tracker/index.php?func=detail&aid=300515&group_id=13&atid=30
0013

- --- viewimg-org.php	2004-09-21 13:08:15.000000000 +0900
+++ viewimg.php	2004-09-21 13:08:44.000000000 +0900
@@ -63,13 +63,13 @@
 <TABLE BORDER="0" CELLSPACING="3" CELLPADDING="5" ALIGN="CENTER">
 <TR>
 <?
- -$img_file = KWL_GetFileName("$CONF[G_PATH]/$path");
+$img_file = KWL_GetFileName("$CONF[G_PATH]/images.d/face");
 $x = 0;
 if (is_array($img_file)) {
 	foreach($img_file as $img) {
 		if (isset($fix)) $tmp = "$path/$img";
 		else $tmp = $img;
- -		echo "<TD ALIGN=CENTER><A HREF=\"javascript:pick('$tmp')\"><IMG
SRC=\"$CONF[G_URL]/$path/$img\" BORDER=\"0\" VSPACE=\"5\" HSPACE=\"5\"
ALT=\"$img\"></A>\n";
+		echo "<TD ALIGN=CENTER><A HREF=\"javascript:pick('$tmp')\"><IMG
SRC=\"$CONF[G_URL]/images.d/face/$img\" BORDER=\"0\" VSPACE=\"5\"
HSPACE=\"5\" ALT=\"$img\"></A>\n";
 		$x++;
 		if ($x==7 || isset($br)) { echo "</TR><TR>\n"; $x=0; }
 	}


Affected Products
================
KorWeblog 1.6.2-cvs and prior

Vendor Status: NOT FIXED
=======================
2004-09-20 Vulnerability found.
2004-09-21 KorWeblog developer notified but didn't reply.
2004-09-21 Jeremy Bae made and submitted a patch.
2004-11-22 Official release.

Credits
======
Jeremy Bae at STG Security

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBQaP3/j9dVHd/hpsuEQLdiQCghTLqIwBh6ckXCaey1HhN+E+U3BsAnjXk
Vo/EGxQDaN//HosfSJm640zX
=sTJy
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html