Published:2008/11/21 Last Updated:2009/04/28
JVN#86833991
CGI RESCUE MiniBBS2000 directory traversal vulnerability
Overview
MiniBBS2000 from CGI RESCUE contains a directory traversal vulnerability.
Products Affected
- MiniBBS2000 v1.02 and earlier
- MiniBBS2000i v1.02 and earlier
Description
MiniBBS2000, a message board script provided by CGI RESCUE, contains a directory traversal vulnerability.
Impact
A remote attacker could view files on the server where MiniBBS2000 is installed. This could lead to disclosure of file contents.
Solution
Update the Software
Update to the latest version according to the information provided by the vendor.
Vendor Status
| Vendor | Link |
| CGI RESCUE |
An error in the downloadable files for MiniBBS2000 and MiniBBS2000i (Japanese Only) |
| CGI RESCUE |
MiniBBS2000 (Japanese Only) |
| CGI RESCUE |
MiniBBS2000i (Japanese Only) |
References
JPCERT/CC Addendum
The vendor reported that the downloadable files addressing this vulnerability were incorrect (v1.02). Files currently available are version v1.03, where this vulnerability has been fixed. For more information, refer to the vendor's website.Vulnerability Analysis by JPCERT/CC
Analyzed on 2008.11.21
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | Routed - can be attacked over the Internet using packets |
|
| Authentication | None - anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | None - the vulnerability can be exploited without an honest user taking any action |
|
| Exploit Complexity | Low - little to no expertise and/or luck required to exploit (cross-site scripting) |
|
Credit
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2008-5723 |
| JVN iPedia |
JVNDB-2008-000078 |
Update History
- 2008/11/26
- The first English advisory of this issue was published.
- 2009/04/28
- The product name was changed to MiniBBS2000 from KanniBBS2000.