---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: WAWI Multiple Vulnerabilities SECUNIA ADVISORY ID: SA23292 VERIFY ADVISORY: http://secunia.com/advisories/23292/ CRITICAL: Highly critical IMPACT: Security Bypass, Exposure of sensitive information, DoS, System access WHERE: >From remote SOFTWARE: WAWI 7.x http://secunia.com/product/12867/ DESCRIPTION: Luigi Auriemma has discovered some vulnerabilities in WAWI, which can be exploited by malicious users to gain knowledge of sensitive information, bypass certain security restrictions, or compromise a vulnerable system, and by malicious people to potentially compromise a vulnerable system. 1) A boundary error within the "FindBasicAuth()" function can be exploited by malicious people to cause a stack-based buffer overflow by specifying an overly long string (greater than 100 bytes) in the "username" field or via a specially-crafted packet. Successful exploitation may allow execution of arbitrary code. 2) A boundary error in the "path" parameter in the "browse" function can be exploited by malicious users to crash the service via an overly long string (greater than 512 bytes) passed to the said parameter. 3) A boundary error in the "file" parameter in the "ld" function can be exploited by malicious users to cause a stack-based buffer overflow via an overly long string (greater than 512 bytes) passed to the said parameter. Successful exploitation allows execution of arbitrary code, but requires that the malicious user has "Add Files" privileges. 4) Input passed to the "path" parameter in the "browse" function is not properly sanitised before being used to display files. This can be exploited by malicious users to display arbitrary files via directory traversal attacks. 5) Input passed to the "file" parameter in the "dl" function is not properly sanitised before being used to download files. This can be exploited by malicious users to download files within the web root directory by appending a "." character to the file name. 6) An error in the checking of the root directory can be exploited by malicious users to view other directories with the same directory name as the root directory but with a number appended to it e.g. root_dir, root_dir1, root_dir_2. The vulnerabilities are confirmed in version 7.5.13. Other versions may also be affected. SOLUTION: Filter requests to the server by using a firewall or a device with such capabilities. Grant access to trusted users only. PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2006-December/051217.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------