[VIM] Webmin traversal - changelog

Heinbockel, Bill heinbockel at mitre.org
Tue Jul 11 09:37:11 EDT 2006



>-----Original Message-----
>From: vim-bounces at attrition.org 
>[mailto:vim-bounces at attrition.org] On Behalf Of George A. Theall
>Sent: Freitag, 30. Juni 2006 16:57
>To: Vulnerability Information Managers
>Subject: Re: [VIM] Webmin traversal - changelog
>
>security curmudgeon wrote:
>
>> Multiple guess!
>> 
>> a) Not properly fixed the first time
>> b) Originally thought to be Windows only, then discovered 
>works on Unix
>> c) Completely seperate issues/scripts
>
>The issue with 1.270 involves a failure to sanitize '\' characters in
>simplify_path(), while that in 1.280 occurs because simplify_path() is
>called before HTML entities are decoded. Sample exploit available on
>request.
>
>George
>-- 
>theall at tenablesecurity.com
>

Is this (CVE-2006-3392) related to the resent posting on Bugtraq?
http://www.securityfocus.com/archive/1/archive/1/439653/100/0/threaded

And the following references provided therein:
http://securitydot.net/vuln/exploits/vulnerabilities/articles/17885/vul
n.html
http://securitydot.net/xpl/exploits/vulnerabilities/articles/1152/explo
it.html

which lists a directory traversal URL similar to that below:
http:
//[url]/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01
/..%01/[file]
(the "/..%01" sequence is repeated 61 times).


William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615 


More information about the VIM mailing list