CVE-2005-0796

Remote attackers can exploit this vulnerability by submitting a crafted vote_filename parameter containing directory traversal sequences like "../". This allows them to overwrite arbitrary files on the server, bypassing the intended check that the file should be within the holaDB/votes directory [ref_id=1]. An example payload demonstrates overwriting the multiuser.php file to gain administrative access [ref_id=1, ref_id=2].

The vulnerability resides in the Vote-Module, specifically in the vote_save_results.php file. The issue involves the handling of the vote_filename parameter, which is intended to specify a file within the holaDB/votes directory [ref_id=1].

The advisory indicates that version 1.4.9-1 attempted to fix this issue by checking if the vote_filename variable contained "holaDB/votes" at the beginning using strpos(). However, this patch was insufficient as it did not prevent directory traversal sequences from being used to navigate outside the intended directory [ref_id=1]. The advisory suggests using alternative CMS solutions as a fix, implying no effective patch was provided by the vendor [ref_id=1].

<form action="http://www.example.com/[site-with-vote].php?vote=1" method="POST"> <input type="hidden" name="vote_filename" value="holaDB/votes/../../admin/multiuser/multiuser.php"> <input type="hidden" name="result" value="0"> <input type="submit" value="Stimme abgeben" name="button"> </form>