PT-2008-2098 · Web Wiz · Web Wiz Newspad+2

Published

2008-01-28

Updated

2018-10-15

CVE-2008-0466

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions Web Wiz Rich Text Editor version 4.0 Web Wiz Forums version 9.07 Web Wiz Newspad version 1.02

Description The issue allows remote attackers to list directories and read files without requiring authentication. This can be further exploited to access files outside the configured directory tree by leveraging a separate directory traversal issue.

Recommendations For Web Wiz Rich Text Editor version 4.0, update the RTE file browser.asp to require authentication. For Web Wiz Forums version 9.07, restrict access to the RTE file browser.asp file to authenticated users. For Web Wiz Newspad version 1.02, consider disabling the RTE file browser.asp file until a patch is available that enforces authentication.

Exploit

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2008-0466

Affected Products

Web Wiz Forums

Web Wiz Newspad

Web Wiz Rich Text Editor

PT-2008-2098 · Web Wiz · Web Wiz Newspad+2

CVE-2008-0466

Weakness Enumeration

Related Identifiers

Affected Products

References · 12