FUDforum 3.0.6 – Local File Inclusion - 体验盒子

作者： Curesec Research Team

日期： 2016-11-21

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/40803/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:FUDforum 3.0.6

Fixed in:not fixed

Fixed Version Link:n/a

Vendor Website:http://fudforum.org/forum/

Vulnerability Type:LFI

Remote Exploitable:Yes

Reported to vendor:04/11/2016

Disclosed to public: 11/10/2016

Release mode:Full Disclosure

CVE: n/a

CreditsTim Coen of Curesec GmbH

2. Overview

FUDforum is forum software written in PHP. In version 3.0.6, it is vulnerable

to local file inclusion. This allows an attacker to read arbitrary files that

the web user has access to.

Admin credentials are required.

3. Details

CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N

Description: The "file" parameter of the hlplist.php script is vulnerable to

directory traversal, which allows the viewing of arbitrary files.

Proof of Concept:

http://localhost/fudforum/adm/hlplist.php?tname=default&tlang=./af&&SQ=

4b181ea1d2d40977c7ffddb8a48a4724&file=../../../../../../../../../../etc/passwd

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

04/11/2016 Informed Vendor about Issue (no reply)

09/14/2016 Reminded Vendor (no reply)

11/10/2016 Disclosed to public

Blog Reference:

https://www.curesec.com/blog/article/blog/FUDforum-306-LFI-167.html

--

blog:https://www.curesec.com/blog

tweet: https://twitter.com/curesec

Curesec GmbH

Curesec Research Team

Josef-Orlopp-Straße 54

10365 Berlin, Germany