[原文]Directory traversal vulnerability in index.php for CitrusDB 0.3.6 and earlier allows remote attackers and local users to include arbitrary PHP files via .. (dot dot) sequences in the load parameter.
CitrusDB suffers from a directory traversal vulnerability in version 0.3.6.
Advisory: Directory traversal in CitrusDB
RedTeam found a directory traversal vulnerability in CitrusDB which
in inclusion of any accessible local .php file.
Affected Version: 0.3.6, probably <= 0.3.5, too
Immune Version: none (2005-02-03)
OS affected: all
Description from vendor: "CitrusDB is an open source customer database
application that uses PHP and a database backend (currently MySQL) to
track of customer information, services, products, billing, and customer
It is possible to include any local accessible .php file.
CitrusDB uses a wrapper script (./citrusdb/tools/index.php) to load
modules and tools. The GET parameter "load" specifies which file
included. With a relative path appended any .php file, that may be
by the script, on the server may be included.
Proof of Concept
To include /tmp/exploit.php use:
Note: You need to be logged in to access this url.
The security risk is rated medium. An attacker needs to be able to
.php file on the local filesystem which is normally a high barrier but
shared hosting enviroments this may be easier.
2005-02-04 Email sent to author
2005-02-12 CVE number requested
2005-02-14 posted as CAN-2005-0411
RedTeam is a penetration testing group working at the Laboratory for
Dependable Distributed Systems at RWTH-Aachen University. You can find
Information on the RedTeam Project at
Maximillian Dornseif, Dipl. Jur., CISSP
Laboratory for Dependable Distributed Systems, RWTH Aachen University
Tel. +49 241 80-21431 - http://md.hudora.de/
Discovery of this vulnerability is credited to RedTeam.
CitrusDB Customer Database 0.3.6
CitrusDB is reportedly affected by a vulnerability that permits the inclusion of any local PHP file. This issue is due to the application failing to properly sanitize user-supplied input.
This issue is reported to affect CitrusDB 0.3.6; earlier versions may also be affected.
This issue may also allow remote file includes, although this has not been confirmed.
No exploit is required.
The following proof of concept is available: http://www.example.com/citrusdb/tools/index.php?load=../../../../../../tmp/exploit.php
(exploit.php would be a malicious PHP script on the same computer)
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.