Directory traversal in CitrusDB
RedTeam found a directory traversal vulnerability in CitrusDB which results in inclusion of any accessible local .php file.
Details
- Product: CitrusDB
- Affected Version: 0.3.6, probably <= 0.3.5, too
- Immune Version: none (2005-02-03)
- OS affected: all
- Security-Risk: medium
- Remote-Exploit: no
- Vendor-URL:
http://www.citrusdb.org - Vendor-Status: informed
- Advisory-URL:
https://www.redteam-pentesting.de/advisories/rt-sa-2005-005 - Advisory-Status: public
- CVE: CAN-2005-0411 (
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0411)
Introduction
Description from vendor:
“CitrusDB is an open source customer database application that uses PHP and a database backend (currently MySQL) to keep track of customer information, services, products, billing, and customer service information.”
It is possible to include any local accessible .php file.
More Details
CitrusDB uses a wrapper script (./citrusdb/tools/index.php) to load different modules and tools. The GET parameter “load” specifies which file should be included. With a relative path appended any .php file, that may be accessed by the script, on the server may be included.
Proof of Concept
To include /tmp/exploit.php use:
http://<target>/citrusdb/tools/index.php?load=../../../../../../tmp/exploit
Note: You need to be logged in to access this url.
Workaround
n/a (2005-02-03)
Fix
n/a (2005-02-03)
Security Risk
The security risk is rated medium. An attacker needs to be able to create a .php file on the local filesystem which is normally a high barrier but in shared hosting enviroments this may be easier.
History
- 2005-02-04 Email sent to author
- 2005-02-12 CVE number requested
- 2005-02-14 posted as CAN-2005-0411
- 2009-05-08 Updated Advisory URL
RedTeam
RedTeam is a penetration testing group working at the Laboratory for Dependable Distributed Systems at RWTH-Aachen University. You can find more information on the RedTeam Project at https://www.redteam-pentesting.de