CVE-2004-0303

Name of the Vulnerable Software and Affected Versions OWLS version 1.0

Description The issue allows remote attackers to retrieve arbitrary files. This can be achieved by providing absolute pathnames in certain parameters, specifically the file parameter in "/glossaries/index.php", the filename parameter in "/readings/index.php", or the filename parameter in "/multiplechoice/resultsignore.php". For example, an attacker could attempt to access sensitive system files like "/etc/passwd".

Recommendations For OWLS version 1.0, as a temporary workaround, consider restricting access to the affected API endpoints "/glossaries/index.php", "/readings/index.php", and "/multiplechoice/resultsignore.php" to minimize the risk of exploitation. Avoid using the file and filename parameters in these endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.