[VIM] false: Seir Anphin (file.php a[filepath]) Remote File Disclosure Vulnerability

GM darkfig gmdarkfig at gmail.com
Sun Apr 29 10:00:53 UTC 2007


Title: Seir Anphin (file.php a[filepath]) Remote File Disclosure Vulnerability
Link: http://www.securityfocus.com/archive/1/467103/30/0/threaded

Quote from the thread:
"Exploit: [Seir_Anphin_Path]/modules/file.php?a[filepath]=../../../etc/passwd"

./modules/file.php:
class file extends module_base
[...]
function download()
[...]
$dbr->query("SELECT f.filepath, f.downloads, h.url FROM {$dbr->p}files
f LEFT JOIN {$dbr->p}file_hosts h ON h.hostid=f.hostid WHERE
fileid=$this->id");
if ($dbr->numrows() < 1) return showmsg('noresults_badurl');
$a = $dbr->getarray();
[...]
header("Content-Type: application/save");
header("Content-Disposition: attachment; filename=\"$filename\"");
$fh = readfile($a['filepath']);


More information about the VIM mailing list