inurl:/dbg-wizard.php

  • 日期:2015-06-03
  • 类别:
  • 作者:anonymous
  • 语法:inurl:/dbg-wizard.php
  • # Exploit Title: Nusphere PHP DBG wizard

    # Date: 02-06-2015

    # Vendor Homepage: http://www.nusphere.com

    # Software Link: http://www.nusphere.com/products/dbg_wizard_download.htm

    # Version: any

    # Exploit Author: Alfred Armstrong

    # Contact: http://twitter.com/alfaguru

    # Website: http://figure-w.co.uk

    DBG Wizard is meant to be used with the DBG PHP debugger as an aid to

    configuring it correctly. It is supplied as a PHP script called

    dbg-wizard.php which when placed in the root folder of a web site and

    executed provides instructions to the user about setting up their web

    server so the debugger can be used.

    It is not meant to be present on a live site as it exposes details

    about software configurations and versions which might allow an

    attacker to discover other vulnerabilities. If the DBG shared library

    is also installed it will expose that fact and potentially assist an

    attacker in crafting a request to start a debug session in which they

    could do anything that can be done through a PHP script, including

    reading files and accessing database entries.

    --

    Alfred Armstrong