PT-2002-2559 · Unknown · Image Display System

Published

2002-12-31

Updated

2008-09-05

CVE-2002-1837

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions Image Display System (IDS) version 0.81

Description The issue allows remote attackers to determine the existence of arbitrary directories via ".." sequences in the album parameter. This is due to the getAlbumToDisplay function in idsShared.pm generating different error messages depending on whether the directory exists or not.

Recommendations For version 0.81, consider restricting access to the getAlbumToDisplay function until a patch is available. As a temporary workaround, avoid using the album parameter with ".." sequences in the affected API endpoint.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2002-1837

Affected Products

Image Display System

PT-2002-2559 · Unknown · Image Display System

CVE-2002-1837

Related Identifiers

Affected Products

References · 6