Remote Information Disclosure in Web Wiz Forums, NewsPad, and Rich Text Editor

vendor:

Web Wiz Forums, NewsPad, Rich Text Editor

by:

5.5

CVSS

MEDIUM

Information Disclosure

200

CWE

Product Name: Web Wiz Forums, NewsPad, Rich Text Editor

Affected Version From: Forums 9.07, NewsPad 1.02, Rich Text Editor 4.0

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

Remote Information Disclosure in Web Wiz Forums, NewsPad, and Rich Text Editor

The vulnerability exists due to a lack of proper sanitization of user-supplied input. An attacker can exploit this issue by sending a specially crafted request to retrieve arbitrary files in the context of the webserver process. This information can be used to launch further attacks.

Mitigation:

To mitigate this vulnerability, it is recommended to apply proper input validation and sanitization mechanisms to prevent arbitrary file retrieval.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/27419/info

Web Wiz Forums, NewsPad, and Rich Text Editor are prone to a remote information-disclosure vulnerability because they fail to properly sanitize user-supplied input.

An attacker can exploit this issue to retrieve arbitrary files in the context of the webserver process. Information obtained may aid in further attacks; other attacks are also possible.

This issue affects Forums 9.07, NewsPad 1.02, and Rich Text Editor 4.0; other versions may also be vulnerable. 

http://www.example.com/RTE_file_browser.asp?look=&sub=\.....\\\.....\\\.....\\http://www.example.com/RTE_file_browser.asp?look=save&sub=\.....\\\.....\\\.....\\\.....\\\.....\\\