Ajax File and Image Manager 'search_folder'参数目录遍历漏洞

2014-03-11T00:00:00
ID SSV:61733
Type seebug
Reporter Root
Modified 2014-03-11T00:00:00

Description

Bugtraq ID:66071

Ajax File and Image Manager是一款远程文件和图像管理工具。

Ajax File and Image Manager搜索功能不正确处理"search_folder"参数数据,允许远程利用漏洞提交目录遍历请求,以WEB权限查看敏感文件信息。 0 Ajax File and Image Manager 目前没有详细解决方案提供: http://www.phpletter.com/

                                        
                                            
                                                http://SERVER/PATH/ajaxfilemanager/ajax_get_file_listing.php?limit=10&view=thumbnail&search=1&search_name=&search_recursively=0&search_mtime_from=&search_mtime_to=&search_folder=../../../../../../../../home/phungv93/public_html/