GHDB « Hackers For Charity

GHDB

GHDB

Google Search: inurl:”index.php?module=ew_filemanager”

klouw rates this entry 4 out of 10.
Submitted: 2004-07-29 00:00:00
Added by: klouw
Hits: 3132
Score: 4

http://www.cirt.net/advisories/ew_file_manager.shtml:Product: EasyWeb FileManager Module – http://home.postnuke.ru/index.phpDescription: EasyWeb FileManager Module for PostNuke is vulnerable to a directory traversal problem which allows retrieval of arbitrary files from the remote system. Systems Affected: EasyWeb FileManager 1.0 RC-1Technical Description: The PostNuke module works by loading a directory and/or file via the “pathext” (directory) and “view” (file) variables. Providing a relative path (from the document repository) in the “pathext” variable will cause FileManager to provide a directory listing of that diretory. Selecting a file in that listing, or putting a file name in the “view” variable, will cause EasyWeb to load the file specified. Only files and directories which can be read by the system user running PHP can be retrieved.Assuming PostNuke is installed at the root level:/etc directory listing:/index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc/etc/passwd file:/index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc/&view=passwdFix/Workaround:Use another file manager module for PostNuke, as the authors do not appear to bemaintaining EW FileManager.Vendor Status: Vendor was contacted but did not respond.Credir: Sullo – cirt.netNOTE: mitigating factor, an attacker needs to be registred and logged on to have access rights to this module.

Comments:


5 Responses to “GHDB”

  1. Jack says:
    October 26, 2011 at 9:12 pm

    Does GHDB still updates for now?

  2. Johnny says:
    October 27, 2011 at 3:31 am

    The GHDB is alive and well, updated through the ExploitDB: http://www.exploit-db.com/google-dorks.

  3. The Artist says:
    April 20, 2013 at 7:10 am

    Hi Johnny,been a while since I’ve came last. Aren’t you gonna update this website anymore???

  4. Johnny says:
    April 27, 2013 at 5:10 am

    The GHDB is not updated and lives with the exploitdb: http://http://www.exploit-db.com. Please check out the awesome folks at Offensive Security as well: http://www.offensive-security.com!

  5. Velmurugan says:
    May 7, 2013 at 7:38 am

    Is any offline view-able resources is available of this product ?

Leave a Reply