Описание
Directory traversal vulnerability in the AuthCheck filter in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to bypass authentication and access the admin interface via a .. (dot dot) in a URI that matches the Exclude-Strings list, as demonstrated by a /setup/setup-/.. sequence in a URI.
Directory traversal vulnerability in the AuthCheck filter in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to bypass authentication and access the admin interface via a .. (dot dot) in a URI that matches the Exclude-Strings list, as demonstrated by a /setup/setup-/.. sequence in a URI.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2008-6508
- https://exchange.xforce.ibmcloud.com/vulnerabilities/46488
- https://www.exploit-db.com/exploits/7075
- http://osvdb.org/49663
- http://secunia.com/advisories/32478
- http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt
- http://www.andreas-kurtz.de/archives/63
- http://www.igniterealtime.org/builds/openfire/docs/latest/changelog.html
- http://www.igniterealtime.org/issues/browse/JM-1489
- http://www.securityfocus.com/archive/1/498162/100/0/threaded
- http://www.securityfocus.com/bid/32189
- http://www.vupen.com/english/advisories/2008/3061
Связанные уязвимости
Directory traversal vulnerability in the AuthCheck filter in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to bypass authentication and access the admin interface via a .. (dot dot) in a URI that matches the Exclude-Strings list, as demonstrated by a /setup/setup-/.. sequence in a URI.