[22463] in bugtraq
eRisk Security Advisory: PhpMyExplorer vulnerable to directory traversal.
daemon@ATHENA.MIT.EDU (Ben Ford)
Thu Aug 30 00:23:51 2001
Message-ID: <3B8DB3A8.3070103@erisksecurity.com>
Date: Wed, 29 Aug 2001 20:31:52 -0700
From: Ben Ford <bford@erisksecurity.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com, elegac@free.fr
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
eRisk Security Advisory August 29, 2001
------------------------------
PhpMyExplorer, available from http://elegac.free.fr/, is vulnerable to
directory traversal.
* Synopsis:
eRiskSecurity has discovered a fatal flaw in PhpMyExplorer, a popular
(and very good looking) PHP based file manager. It is vulnerable to
directory traversal. If the web server doesn't have appropriate limits
set, like most out-of-the-box Linux distributions, the intruder can
browse the entire drive, even reading sensitive files such as /etc/passwd.
* Affected Versions:
PhpMyExplorer Classic 1.2 (presumed earlier versions as well)
PhpMyExplorer MultiUser was not tested but is presumed to be vulnerable
as well.
* Description:
With a URL such as:
/index.php?chemin=..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc any user can
browse the /etc/ directory and view any files the webserver has read
access to.
* Recommendations:
We can only recommend that you not use this application until such a
time that the author chooses to fix this hole. If you must, the
webserver must be securely configured to run as a user with no access
permissions except where specifically required or must be run within a
chroot() environment. Neither of these solutions is complete, as by
necessity the webserver must have access to .htaccess, .htpasswd,
httpd.conf and the like, which means that this application can view them
as well.
* Vendor Contact:
The author was notified on 8/12/2001, but has not chosen to respond, or
to fix the application.
* Credits:
This vulnerability was discovered and researched by Ben Ford of
eRiskSecurity.
_________________
About eRiskSecurity:
eRiskSecurity is an employee owned Information Security Solutions
Company bringing its risk and loss mitigation approach to all industries
relying on computer systems. The company provides technically-advanced
integrated, seamless and layered approaches to information security.
For more information, visit eRiskSecurity at
http://www.erisksecurity.com, or call toll-free at 866-30-eRisk
(866-303-7475).
Copyright (c) 2001 eRiskSecurity, Inc.
Permission is hereby granted for the redistribution of this bulletin.
It is not to be edited in any way without express consent of eRiskSecurity.
Disclaimer:
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.
