Potential Security Vulnerability in Lowyat.net website

2 weeks ago, I got a new tool – HttpWatch. It is a very handy tools to investigate the traffic flow between your machine and the web server. Previously I’m using Fidller to such job when I give a try to HttpWatch, it is definitely lovely. If you are using Firefox, there is a equivalent tools known as Firebug.

The interesting when I discover over the Lowyat.net page is there might be a potential Path Traversal vulnerability.

There is a specific URL that allow the webpage to download the flash (SWF file) advertisement. The way they pass in the flash file is through query string

It can potentially lead to a path traversal attack. In general, the path traversal allow attacker to navigate to other folder/directory in the server and grab the file.

By default, if you are deploy your application in Windows platform, many of you might just move the web project into C:\inetpub\wwwroot. If you have a path traversal vulnerability, you eventually grab any files in C: including Password file in Windows, Web.config and others.

If you are coming to my session on TechEd SEA this year. I will demonstrate an "eye-opening" demo on what Path traversal can do.

To learn more about Path traversal attack – please go to here

Advertisements

5 Comments

Filed under Uncategorized

5 responses to “Potential Security Vulnerability in Lowyat.net website

  1. Walter

    Hi Woon,
     
    Oh is good that you cross-check that. Send my regard to VJ 🙂

  2. Unknown

    Hi,Do you need digital signages, advertising displays, digital sign, advertisement displays and advertising players? Please go Here:www.amberdigital.com.hk(Amberdigital).we have explored and developed the international market with professionalism. We have built a widespread marketing network, and set up a capable management team dedicated to provide beyond-expectation services to our customers.
    amberdigital Contact Us
    website:www.amberdigital.com.hk
    alibaba:amberdigital.en.alibaba.com[eeadfcbdgacfbj]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s