Description
Multiple directory traversal vulnerabilities in the RenderFile function in ContentRender.class.php in Terracotta (aka OpenTerracotta) 0.6.1, and possibly other versions, allow remote attackers to list arbitrary directories and read arbitrary files via a .. (dot dot) in the (1) CurrentDirectory and (2) File parameters to index.php.
Exploits (1)
exploitdb
WRITEUP
VERIFIED
by Joseph Giron · textwebappsphp
https://www.exploit-db.com/exploits/31584
References (3)
Core 3
Core References
Exploit vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/28550
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/490341/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/41572
Scores
EPSS
0.0118
EPSS Percentile
78.9%
Details
CWE
CWE-22
Status
published
Products (1)
devraj_mukherjee/openterracotta
0.6.1
Published
Mar 25, 2009
Tracked Since
Feb 18, 2026