CVE-2006-2347 Information

Description

E-Business Designer (eBD) 3.1.4 and earlier allows remote attackers to obtain the full path of the web server via '\ characters and possibly other invalid values in (1) the id parameter to form_grupo.html or requests to the (2) archivos/ and (3) files/ directories. NOTE: this issue might be resultant from SQL injection.

Reference

http://lists.grok.org.uk/pipermail/full-disclosure/2006-May/045980.html http://secunia.com/advisories/20071 http://securityreason.com/securityalert/891 http://www.securityfocus.com/archive/1/433807/100/0/threaded http://www.securityfocus.com/bid/17933 http://www.vupen.com/english/advisories/2006/1784 https://exchange.xforce.ibmcloud.com/vulnerabilities/26476