----------------------------------------------------------------------

Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.

Join the FREE BETA test of the Network Software Inspector (NSI)!
http://secunia.com/network_software_inspector/

The NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.

----------------------------------------------------------------------

TITLE:
H-Sphere SiteStudio "template" Information Disclosure

SECUNIA ADVISORY ID:
SA25243

VERIFY ADVISORY:
http://secunia.com/advisories/25243/

CRITICAL:
Moderately critical

IMPACT:
Exposure of sensitive information

WHERE:
>From remote

SOFTWARE:
H-Sphere 2.x
http://secunia.com/product/935/
H-Sphere 1.x
http://secunia.com/product/14212/

DESCRIPTION:
A vulnerability has been reported in H-Sphere SiteStudio, which can
be exploited by malicious people to disclose potentially sensitive
information.

Input passed to the "template" parameter is not properly sanitised
before being used. This can be exploited to include arbitrary files
from local resources via directory traversal attacks.

Successful exploitation allows disclosing the contents of
configuration files, which can contain the database password.

SOLUTION:
Apply patch.
http://www.psoft.net/misc/hsphere_sitestudio_fix_2007-05-10.html

PROVIDED AND/OR DISCOVERED BY:
Reported by an anonymous person and the vendor.

ORIGINAL ADVISORY:
http://www.psoft.net/misc/hsphere_sitestudio_fix_2007-05-10.html

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

----------------------------------------------------------------------