Directory traversal in index.php
Bug #1093967 reported by
Amril Jafni Joehari
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Xibo |
Fix Released
|
Critical
|
Unassigned | ||
1.2 |
Fix Released
|
Critical
|
Alex Harrington | ||
1.4 |
Fix Released
|
Critical
|
Dan Garner | ||
1.5 |
Fix Released
|
Critical
|
Unassigned |
Bug Description
Hi Xibo Team,
Our pentesters (Detica - BAE Systems) have found a directory traversal vulnerability in Xibo 1.2.2. We have tested on version 1.2.2 and 1.4.1 in our staging environment. The bug exist on "p" parameter in index.php and unauthenticated users can exploit the bug.
POC:
Expected output will show the content of /etc/passwd if the server is running Linux.
Please email me for screenshot and details.
information type: | Public Security → Private Security |
To post a comment you must log in.
Thanks for reporting this Amril. We'll confirm and look at releasing a patch shortly.