CVE-2009-4088
published 2009-11-29CVE-2009-4088: Multiple directory traversal vulnerabilities in telepark.wiki 2.4.23 and earlier allow remote attackers to read arbitrary files via directory traversal…
PriorityP337medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
2.80%
84.7th percentile
Multiple directory traversal vulnerabilities in telepark.wiki 2.4.23 and earlier allow remote attackers to read arbitrary files via directory traversal sequences in the css parameter to (1) getjs.php and (2) getcsslocal.php; and include and execute arbitrary local files via the (3) group parameter to upload.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| telepark | telepark.wiki | <= 2.4.23 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
telepark wiki 2.4.23 - Multiple Vulnerabilities
exploitdb·2009-11-16
CVE-2009-4089 telepark wiki 2.4.23 - Multiple Vulnerabilities
telepark wiki 2.4.23 - Multiple Vulnerabilities
---
Abysssec Inc Public Advisory
Title : Telepark Wiki Multiple Remote Vulnerabilities
Affected Version : ",$_POST['wikiFileName'],str_file_uploaded).".\n";
}
for bypass you can use : image.jpg%00.php
note : use group variable for changing directory to another writeable directory
FIXED:
line 22:
if (isset($_POST['wikiComment']) && isset($_POST['pageID']) && $wiki->isUserPage($_POST['pageID'],"loggedUser",true,P_COMMENT)) {
added check is user allowed to comment
line 29:
$data=$wiki->savePage($data,"comment");
savePage now returns checked data - if file name is not allowed returns empty string instead of name
line 67:
$body.=str_replace("",$data['wikiFileName'],str_file_uploaded).".\n";
uses checked filename returned from savePage fun
Exploit-DB
Photodex ProShow Gold 4 (Windows XP SP3) - '.psh' Universal Buffer Overflow (SEH)
exploitdb·2009-08-24
CVE-2009-3214 Photodex ProShow Gold 4 (Windows XP SP3) - '.psh' Universal Buffer Overflow (SEH)
Photodex ProShow Gold 4 (Windows XP SP3) - '.psh' Universal Buffer Overflow (SEH)
---
#
# [+] Vulnerability : ProShow Gold 4 BOF
# [+] Detected by : Bkis - http://blog.bkis.com/?p=737
# [*] Sploit coded by : corelanc0d3r (corelanc0d3r[at]gmail[dot]com)
# [*] Sploit coded on : August 20, 2009
# [*] Type : local
# [*] OS : Windows
# [*] Product : Photodex ProShow Gold
# [*] Versions affected : 4.0
# [*] Download link : http://www.photodex.com/downloads/go_proshowgold
# [*] -------------------------------------------------------------------------
# [*] Method : SEH - Universal
# [*] Tested on : Windows XP SP3 En
# [*] Greetz&Tx to : Saumil/SK
# [*] -------------------------------------------------------------------------
# MMMMM~.
# MMMMM?.
# MMMMMM8. .=MMMMMMM.. MMMMMMMM, MMMMMMM8. MMMMM?.
No writeups or analysis indexed.
http://blog.telepark.com/telepark-web-software/2009/11/09/telepark-wiki-security-fixes/http://packetstormsecurity.org/0911-exploits/Telepark-fixes-nov09-2.txthttp://secunia.com/advisories/37391http://www.exploit-db.com/exploits/9483http://www.osvdb.org/60216http://www.osvdb.org/60217http://www.osvdb.org/60218https://exchange.xforce.ibmcloud.com/vulnerabilities/54327http://blog.telepark.com/telepark-web-software/2009/11/09/telepark-wiki-security-fixes/http://packetstormsecurity.org/0911-exploits/Telepark-fixes-nov09-2.txthttp://secunia.com/advisories/37391http://www.exploit-db.com/exploits/9483http://www.osvdb.org/60216http://www.osvdb.org/60217http://www.osvdb.org/60218https://exchange.xforce.ibmcloud.com/vulnerabilities/54327
2009-11-29
Published