Reporter Kristian Hermansen
`While fuzzing an Urchin web application, I discovered what appears to
be an LFI vulnerability. Neither Secunia nor Google / Urchin appear
to have reported this as a known issue. The problem lies in the gfid
parameter passed to urchin.cgi. This was tested on a somewhat
modified version of Urchin 5.7.03, but it appears that the gfid param
can be influenced given the results. I don't have the ability to test
further, but this appears valid and unpublished. Can anyone confirm
they see similar behavior in the same version or other versions?
$ curl -s -b '...cookie_data...'
Kristian Erik Hermansen