================================================== ========
Title: Directory traversal in phpXplorer

Application: phpXplorer
Vendor: http://www.phpxplorer.org
Vulnerable Versions: 0.9.33
Bug: directory traversal
Date: 16-January-2006
Author: Oriol Torrent Santiago < oriol.torrent.AT.gmail.com >

References:
http://www.arrelnet.com/advisories/adv20060116.html

================================================== ========

1) Background
-----------
phpXplorer is an open source file management system written in PHP.
It enables you to work on a remote file system through a web browser.


2) Problem description
--------------------
An attacker can read arbitrary files outside the web root by sending
specially formed requests

Ex:

http://host/phpXplorer/system/workspaces.php?sShare=../../../../../../../../etc/passwd%00&ref=1


3) Solution:
----------
No Patch available.


4) Timeline
---------
17/12/2005 Bug discovered
20/12/2005 Vendor receives detailed advisory. No response
04/01/2006 Second notification. No response
16/01/2006 Public Disclosure

Seeing as phpXplorer allows the upload and editing of live PHP files
anyways it seems to me this exploit is completely useless. You can
use the script as intended to cat the password file if you want.=20
Right?

-sb


On 1/16/06, Oriol Torrent <oriol.torrent@gmail.com> wrote:
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Title: Directory traversal in phpXplorer
>
> Application: phpXplorer
> Vendor: http://www.phpxplorer.org
> Vulnerable Versions: 0.9.33
> Bug: directory traversal
> Date: 16-January-2006
> Author: Oriol Torrent Santiago < oriol.torrent.AT.gmail.com >
>
> References:
> http://www.arrelnet.com/advisories/adv20060116.html
>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
>
> 1) Background
> -----------
> phpXplorer is an open source file management system written in PHP.
> It enables you to work on a remote file system through a web browser.
>
>
> 2) Problem description
> --------------------
> An attacker can read arbitrary files outside the web root by sending
> specially formed requests
>
> Ex:
>
> http://host/phpXplorer/system/workspaces.php?sShare=3D../../../../../../.=
../../etc/passwd%00&ref=3D1
>
>
> 3) Solution:
> ----------
> No Patch available.
>
>
> 4) Timeline
> ---------
> 17/12/2005 Bug discovered
> 20/12/2005 Vendor receives detailed advisory. No response
> 04/01/2006 Second notification. No response
> 16/01/2006 Public Disclosure
>

Hey,

I just wanted to point out a couple of things I neglected to mention
in my first reply to this advisory:
1) Even if something isn't a critical problem, a vendor should still
respond to the issue, if for no other reason than to straighten out
the situation with the user who had enough insight to spot it and
assume its a problem.
2) Only reporting a bug between Dec 20 - Jan 4 is in bad practice, I
think. The advisory noted those two dates as when the vendor was sent
an advisory. As most people know this period of time is considered
Christmas and New Years vacation in the USA and other places. Beyond
that the phpXplorer project is an open source project and may not have
dedicated support.

In short a little more leeway should be profited during the holidays
and vendors should always respond to issue like this so no one gets
hung out to dry like this.

Best Regards,
Stan Bubrouski


On 1/16/06, Stan Bubrouski <stan.bubrouski@gmail.com> wrote:
> Seeing as phpXplorer allows the upload and editing of live PHP files
> anyways it seems to me this exploit is completely useless. You can
> use the script as intended to cat the password file if you want.
> Right?
>
> -sb
>
>
> On 1/16/06, Oriol Torrent <oriol.torrent@gmail.com> wrote:
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> > Title: Directory traversal in phpXplorer
> >
> > Application: phpXplorer
> > Vendor: http://www.phpxplorer.org
> > Vulnerable Versions: 0.9.33
> > Bug: directory traversal
> > Date: 16-January-2006
> > Author: Oriol Torrent Santiago < oriol.torrent.AT.gmail.com >
> >
> > References:
> > http://www.arrelnet.com/advisories/adv20060116.html
> >
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >
> > 1) Background
> > -----------
> > phpXplorer is an open source file management system written in PHP.
> > It enables you to work on a remote file system through a web browser.
> >
> >
> > 2) Problem description
> > --------------------
> > An attacker can read arbitrary files outside the web root by sending
> > specially formed requests
> >
> > Ex:
> >
> > http://host/phpXplorer/system/workspaces.php?sShare=3D../../../../../..=
/../../etc/passwd%00&ref=3D1
> >
> >
> > 3) Solution:
> > ----------
> > No Patch available.
> >
> >
> > 4) Timeline
> > ---------
> > 17/12/2005 Bug discovered
> > 20/12/2005 Vendor receives detailed advisory. No response
> > 04/01/2006 Second notification. No response
> > 16/01/2006 Public Disclosure
> >
>