Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:7822
HistoryFeb 15, 2005 - 12:00 a.m.

[Full-Disclosure] Advisory: Directory traversal in CitrusDB

2005-02-1500:00:00
vulners.com
8
JSON
               Advisory: Directory traversal in CitrusDB

RedTeam found a directory traversal vulnerability in CitrusDB which
results
in inclusion of any accessible local .php file.

Details

Product: CitrusDB
Affected Version: 0.3.6, probably <= 0.3.5, too
Immune Version: none (2005-02-03)
OS affected: all
Security-Risk: medium
Remote-Exploit: no
Vendor-URL: http://www.citrusdb.org
Vendor-Status: informed
Advisory-URL:
http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005
-005
Advisory-Status: public
CVE: CAN-2005-0411
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0411#&#41;

Introduction

Description from vendor: "CitrusDB is an open source customer database
application that uses PHP and a database backend (currently MySQL) to
keep
track of customer information, services, products, billing, and customer
service information."

It is possible to include any local accessible .php file.

More Details

CitrusDB uses a wrapper script (./citrusdb/tools/index.php) to load
different
modules and tools. The GET parameter "load" specifies which file
should be
included. With a relative path appended any .php file, that may be
accessed
by the script, on the server may be included.

Proof of Concept

To include /tmp/exploit.php use:
http://<target>/citrusdb/tools/index.php?load=…/…/…/…/…/…/tmp/
exploit
Note: You need to be logged in to access this url.

Workaround

n/a (2005-02-03)

Fix

n/a (2005-02-03)

Security Risk

The security risk is rated medium. An attacker needs to be able to
create a
.php file on the local filesystem which is normally a high barrier but
in
shared hosting enviroments this may be easier.

History

2005-02-04 Email sent to author
2005-02-12 CVE number requested
2005-02-14 posted as CAN-2005-0411

RedTeam

RedTeam is a penetration testing group working at the Laboratory for
Dependable Distributed Systems at RWTH-Aachen University. You can find
more
Information on the RedTeam Project at
http://tsyklon.informatik.rwth-aachen.de/redteam/


Maximillian Dornseif, Dipl. Jur., CISSP
Laboratory for Dependable Distributed Systems, RWTH Aachen University
Tel. +49 241 80-21431 - http://md.hudora.de/

Related

cve 1
cve
cve
CVE-2005-0411
2005-02-14 05:00:00
JSON
Related for SECURITYVULNS:DOC:7822
cve1