[VIM] true: AGENCY4NET WEBFTP directory traversal; deletion possible
Steven M. Christey
coley at mitre.org
Fri Jan 4 00:14:01 UTC 2008
(Happy New Year, all!)
Ref: MILW0RM:4828
http://www.milw0rm.com/exploits/4828
Researcher: TrYaG-TeaM [Tryag.com/cc] (I guess)
download.php invokes download2.php with a file parameter, so
register_globals is assumed/required. $file is not checked in the
"config.inc.php" that's included by download2.php.
download2.php later calls:
@readfile($file);
unlink($file);
So, the impact also appears to be file deletion when permissions
allow. Deletion was not mentioned in the original disclosure.
- Steve
More information about the VIM
mailing list