Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Directory traversal in phpXplorer

from [Stan Bubrouski] Network Security [Permanent Link]
Subject: Re: Directory traversal in phpXplorer
Date: Thu, 19 Jan 2006 15:06:04 -0500 
Hey,

I just wanted to point out a couple of things I neglected to mention
in my first reply to this advisory:
1) Even if something isn't a critical problem, a vendor should still
respond to the issue, if for no other reason than to straighten out
the situation with the user who had enough insight to spot it and
assume its a problem.
2) Only reporting a bug between Dec 20 - Jan 4 is in bad practice, I
think.  The advisory noted those two dates as when the vendor was sent
an advisory.  As most people know this  period of time is considered
Christmas and New Years vacation in the USA and other places.  Beyond
that the phpXplorer project is an open source project and may not have
dedicated support.

In short a little more leeway should be profited during the holidays
and vendors should always respond to issue like this so no one gets
hung out to dry like this.

Best Regards,
Stan Bubrouski


On 1/16/06, Stan Bubrouski <stan.bubrouski@gmail.com> wrote:

Seeing as phpXplorer allows the upload and editing of live PHP files
anyways it seems to me this exploit is completely useless.  You can
use the script as intended to cat the password file if you want.
Right?

-sb


On 1/16/06, Oriol Torrent <oriol.torrent@gmail.com> wrote:

==========================================================
Title: Directory traversal in phpXplorer

Application: phpXplorer
Vendor: http://www.phpxplorer.org
Vulnerable Versions: 0.9.33
Bug: directory traversal
Date: 16-January-2006
Author: Oriol Torrent Santiago < oriol.torrent.AT.gmail.com >

References:
http://www.arrelnet.com/advisories/adv20060116.html

==========================================================

1) Background
   -----------
  phpXplorer is an open source file management system written in PHP.
  It enables you to work on a remote file system through a web browser.


2) Problem description
   --------------------
   An attacker can read arbitrary files outside the web root by sending
   specially formed requests

  Ex:

http://host/phpXplorer/system/workspaces.php?sShare=../../../../../../../../etc/passwd%00&ref=1


3) Solution:
   ----------
   No Patch available.


4) Timeline
   ---------
   17/12/2005 Bug discovered
   20/12/2005 Vendor receives detailed advisory. No response
   04/01/2006 Second notification. No response
   16/01/2006 Public Disclosure
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: MySQL 5.0 information leak?, Burton Strauss
Next by Date:  Critical security advisory #006 tftpd32 Format string, admin
Previous by Thread:  Re: Directory traversal in phpXplorer, Stan Bubrouski
Next by Thread:  [Full-disclosure] WehnTrust - When you have to trust Wehntrust, Thierry Zoller
Indexes:  [Date] [Thread] [Top] [All Lists]