Title: PHPMyExplorer Arbitrary File Disclosure Vulnerability
Severity: HIGH
Description:
PHPMyExplorer is a free application that provides a web user interface for managing web content on a host. It works with Apache for Microsoft Windows systems and also on Linux platforms.
An input validation problem exists with PHPMyExplorer. It is possible for a user to browse the filesystem of the host by specially crafting a URL using variations of '../' sequences to break out of wwwroot. The '../' sequences must be appended as parameters for 'index.php?chemin='.
For example:
http://server//index.php?chemin=..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc
As a result the attacker will be able to display arbitrary web-readable files, potentially disclosing sensitive information about the host.
Affected Products:
- PHPMyExplorer PHPMyExplorer Classic 1.0.0
- PHPMyExplorer PHPMyExplorer Classic 1.1.0.0
- PHPMyExplorer PHPMyExplorer Classic 1.1.1
- PHPMyExplorer PHPMyExplorer Classic 1.1.3
- PHPMyExplorer PHPMyExplorer Classic 1.1.4
- PHPMyExplorer PHPMyExplorer Classic 1.1.5
- PHPMyExplorer PHPMyExplorer Classic 1.2.0
- PHPMyExplorer PHPMyExplorer MultiUser 1.0.0
References:
- PhpMyExplorer: PHPMyExplorer Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
