CVE-2011-1715

Name of the Vulnerable Software and Affected Versions QooxDoo versions 1.3 and possibly other versions eyeOS versions 2.2 and 2.3

Description A directory traversal issue allows remote attackers to read arbitrary files via ..%2f (encoded dot dot) sequences in the file parameter. This issue is present in the framework/source/resource/qx/test/part/delay.php file.

Recommendations For QooxDoo version 1.3, avoid using the file parameter with ..%2f sequences in the delay.php file until a patch is available. For eyeOS versions 2.2 and 2.3, restrict access to the delay.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.