[VIM] Re: [Full-disclosure] Torrential 1.2 getdox.php Directory Traversal

security curmudgeon jericho at attrition.org
Wed Nov 30 21:32:01 EST 2005

Hi Shell,

: I was poking around my own server because I had an installation of 
: torrential and found this vuln. The problem lies in getdox.php. It works 
: by taking an argument after a "/". This specifies a file. The DOX folder 
: that it grabs the files from is located int /dox such that / is the 
: directory that the main index is in. Now, you can give it the parameter 
: of /(any file) and it will fetch that file.
: http://www.example.com/torrential/dox/getdox.php/../forums.php (goes
: to the forums page)
: http://www.example.com/torrential/dox/getdox.php/../../index.html
: (goes to http://www.example.com/index.html in this case)

It isn't clear if this can be used to gain access to sensitive or 
restricted files. The examples above both make it look like you would 
normally have access to the forums.php or index.html files anyway. Will 
this traverse out of the web root?


More information about the VIM mailing list