Unidomedia Chameleon LE/Pro Directory Traversal

Advisory Content :

Date of Advisory:

-----------------

July 20th 2006

Product:

--------

Chameleon LE <= 1.203

Chameleon Pro is suspected to be vulnerable but since I am cheap and not
about to pay $99 for

the pro version to check if a bug exists I CAN NOT

confirm that the Pro version is vulnerable but can assume since it shares
most of the same code.

Vendor:

-------

Unidomedia

Description:

------------

Chameleon is the answer to your online advertising needs!

Chameleon can be used for general advertising too, if you wish. Configure
it in minutes to accept all types of ads. If you want to be specific,
Chameleon will have you up and running in minutes, with ad submission and
search forms tailored just the way you like.

Exploit or Vulnerability:

-------------------------

There is a directory traversal vulnerabilities in index.php

The vulnerability is at line 34: include "chd_ads/$_GET[rmid]";

The user can pass a directory traversal attack to index.php?rmid= and can
load ANY file on the server that the attacker has read access to. This can
lead to a user gaining information such as server usernames from the passwd
file or reading other website files which could lead to vulnerable
information being accessed.

Proof of Concept (PoC):

-----------------------

http://www.victim.com/index.php?rmid=[directory traversal]

Vendor Status:

--------------

Vendor has been notified but have yet to receive any notification or
communication from vendor on this issue.

Solution:

---------

No known vendor solution at this time.

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

Unidomedia Chameleon LE/Pro Directory Traversal