Phreebooks 2.0 – Local File Inclusion

• Exploit Database
• 41 阅读

• 作者： Gustavo Sorondo
  日期： 2010-06-08
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/13777/

• Advisory Name: Local File Inclusion in Phreebooks v2.0
  Internal Cybsec Advisory Id:
  Vulnerability Class: Local File Inclusion
  Release Date: 2010-05-26
  Affected Applications: Phreebooks v2.0
  Affected Platforms: Any running Phreebooks v2.0
  Local / Remote: Remote
  Severity: Medium – CVSS: 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
  Researcher: Gustavo Sorondo
  Vendor Status: N/A
  Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf
  Vulnerability Description:
  A vulnerability has been found in Phreebooks v2.0 which allows malicious people to include local files
  by entering special characters in variables used to create file paths. The attackers use “../” sequences to
  move up to root directory, thus permitting navigation through the file system.
  The files are included into the scripts and its contents executed by the server.
  
  
  Download:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/13777.pdf (cybsec_advisory_2010_0602_Phreebooks_v2_0_Local_File_Inclusion.pdf)