Title: ACD CwpAPI Relative Path Validation Vulnerability
Severity: MODERATE
Description:
CwpAPI is a collection of PHP libraries designed to allow the easy creation of secure web programs.
The function GetRelativePath is designed to accept a relative path and return a fully qualified path on the server filesystem. It includes a security feature to ensure that the returned path is within the web server root directory.
Some versions of CwpAPI do not correctly implement this check. If a path contains as a substring the correct web root directory, it will be returned. This may include valid directories which are outside the web root.
If a program was constructed to rely on this security feature, it is possible it would be vulnerable to an attack. For example, it might be possible to read or write to files outside of the web root, if no additional permission checks or validation are performed.
Affected Products:
- ACD Incorporated CwpAPI 1.1.0
References:
- ACD Incorporated: CwpAPI Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
