Re: Directory traversal in phpXplorer

[Stan Bubrouski <stan.bubrouski () gmail com>]

Hey,

I just wanted to point out a couple of things I neglected to mention
in my first reply to this advisory:
1) Even if something isn't a critical problem, a vendor should still
respond to the issue, if for no other reason than to straighten out
the situation with the user who had enough insight to spot it and
assume its a problem.
2) Only reporting a bug between Dec 20 - Jan 4 is in bad practice, I
think.  The advisory noted those two dates as when the vendor was sent
an advisory.  As most people know this  period of time is considered
Christmas and New Years vacation in the USA and other places.  Beyond
that the phpXplorer project is an open source project and may not have
dedicated support.

In short a little more leeway should be profited during the holidays
and vendors should always respond to issue like this so no one gets
hung out to dry like this.

Best Regards,
Stan Bubrouski


On 1/16/06, Stan Bubrouski <stan.bubrouski () gmail com> wrote:
> Seeing as phpXplorer allows the upload and editing of live PHP files
> anyways it seems to me this exploit is completely useless.  You can
> use the script as intended to cat the password file if you want.
> Right?
>
> -sb
>
>
> On 1/16/06, Oriol Torrent <oriol.torrent () gmail com> wrote:
> > ==========================================================
> > Title: Directory traversal in phpXplorer
> >
> > Application: phpXplorer
> > Vendor: http://www.phpxplorer.org
> > Vulnerable Versions: 0.9.33
> > Bug: directory traversal
> > Date: 16-January-2006
> > Author: Oriol Torrent Santiago < oriol.torrent.AT.gmail.com >
> >
> > References:
> > http://www.arrelnet.com/advisories/adv20060116.html
> >
> > ==========================================================
> >
> > 1) Background
> >    -----------
> >   phpXplorer is an open source file management system written in PHP.
> >   It enables you to work on a remote file system through a web browser.
> >
> >
> > 2) Problem description
> >    --------------------
> >    An attacker can read arbitrary files outside the web root by sending
> >    specially formed requests
> >
> >   Ex:
> >
> > http://host/phpXplorer/system/workspaces.php?sShare=../../../../../../../../etc/passwd%00&ref=1
> >
> >
> > 3) Solution:
> >    ----------
> >    No Patch available.
> >
> >
> > 4) Timeline
> >    ---------
> >    17/12/2005 Bug discovered
> >    20/12/2005 Vendor receives detailed advisory. No response
> >    04/01/2006 Second notification. No response
> >    16/01/2006 Public Disclosure