WeBid <= 1.0.2 (includes/messages.inc.php) Local File Inclusion Vulnerability

Description:

WeBid contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to user input passed to the index.php script not being properly sanitized in the includes/messages.inc.php script, specifically directory traversal style attacks (e.g., ../../) supplied to the ‘lan’ parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

References:

• BID-48554
• http://www.webidsupport.com/forums/showthread.php?3892

Disclosure Date:

July 4, 2011