CVE-2011-1715

2011-04-18 20:55:02 2017-08-17 03:34:20

Directory traversal vulnerability in framework/source/resource/qx/test/part/delay.php in QooxDoo 1.3 and possibly other versions, as used in eyeOS 2.2 and 2.3, and possibly other products allows remote attackers to read arbitrary files via ..%2f (encoded dot dot) sequences in the file parameter.

Vector

NETWORK

Complexity

LOW

Authentication

NONE

Confidentiality

PARTIAL

Integrity

NONE

Availability

NONE

Qooxdoo Qooxdoo 1.3 (not an official CPE)

Qooxdoo - Qooxdoo

Advisory	Patch	Confirmed	Link
			eyeos-delay-file-include(66575)
			eyeos-jsonpprimitive-xss(66574)
			17127
			47184
			http://www.autosectools.com/Advisories/eyeOS.2.3_Local.F...
			http://blog.eyeos.org/en/2011/04/07/about-some-eyeos-sec...

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (ID 22)

Related CAPEC 7 Relative Path Traversal (CAPEC-ID 139) Directory Traversal (CAPEC-ID 213) File System Function Injection, Content Based (CAPEC-ID 23) Using Slashes and URL Encoding Combined to Bypass Validation Logic (CAPEC-ID 64) Manipulating Input to File System Calls (CAPEC-ID 76) Using Escaped Slashes in Alternate Encoding (CAPEC-ID 78) Using Slashes in Alternate Encoding (CAPEC-ID 79)