CVE-2004-0303

Vulnerability

OWLS 1.0 is vulnerable to directory/path traversal attacks that allow remote attackers to retrieve arbitrary files from the web server. The vulnerability exists in multiple PHP scripts: /glossaries/index.php (file parameter), /readings/index.php (filename parameter), /multiplechoice/resultsignore.php (filename parameter), and also /workshop/glossary.php (editfile parameter) and /workshop/newmultiplechoice.php (editfile parameter). These scripts fail to properly sanitize user-supplied input, enabling absolute or relative path traversal sequences such as ../../../../etc/passwd [1].

Exploitation

An attacker can exploit this vulnerability without any prior authentication or special privileges. By sending a crafted HTTP GET request to any of the vulnerable scripts with a manipulated file/filename/editfile parameter containing an absolute path or directory traversal sequence, the attacker can force the server to read and return the contents of any file that the web server process has read access to. For example, requesting /glossaries/index.php?file=/etc/passwd directly retrieves the system password file [1].

Impact

Successful exploitation leads to unauthorized disclosure of sensitive information. An attacker can read arbitrary files such as configuration files, application source code, database credentials, or system files like /etc/passwd. This compromises the confidentiality of the server and may facilitate further attacks. The attacker gains no direct code execution or privilege escalation, but the information obtained can be used to escalate an attack [1].

Mitigation

A patched version has not been publicly released by the vendor; as of the advisory date (18 February 2004), the vendor was contacted but no fix was available. Users should apply input validation to all file-related parameters, restrict web server access to sensitive files, or consider migrating away from OWLS 1.0 as it appears to be no longer actively maintained [1].