IBM Tivoli Directory Server 3.2.2/4.1 - LDACGI Directory Traversal

EDB-ID:

24345


Author:

anonymous

Type:

remote


Platform:

Windows

Date:

2004-08-02


source: https://www.securityfocus.com/bid/10841/info

IBM Tivoli Directory Server is reported to contain a directory traversal vulnerability in its web front-end application.

This issue presents itself due to insufficient sanitization of user-supplied data.

This issue allows remote attackers to view potentially sensitive files on the server that are accessible to the 'ldap' user. This may aid an attacker in conducting further attacks against the vulnerable computer.

Versions 3.2.2, and 4.1 are reported vulnerable.

http://www.example.com/ldap/cgi-bin/ldacgi.exe?Action=Substitute&Template=../../../../../boot.ini&Sub=LocalePath&LocalePath=enus1252