Contact

Contact us

+49 241 510081-0
kontakt@redteam-pentesting.de
Contact form
RedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting Header

Directory traversal in CitrusDB

RedTeam found a directory traversal vulnerability in CitrusDB which results in inclusion of any accessible local .php file.

Details

  • Product: CitrusDB
  • Affected Version: 0.3.6, probably <= 0.3.5, too
  • Immune Version: none (2005-02-03)
  • OS affected: all
  • Security-Risk: medium
  • Remote-Exploit: no
  • Vendor-URL: http://www.citrusdb.org
  • Vendor-Status: informed
  • Advisory-URL: https://www.redteam-pentesting.de/advisories/rt-sa-2005-005
  • Advisory-Status: public
  • CVE: CAN-2005-0411 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0411)

Introduction

Description from vendor:

“CitrusDB is an open source customer database application that uses PHP and a database backend (currently MySQL) to keep track of customer information, services, products, billing, and customer service information.”

It is possible to include any local accessible .php file.

More Details

CitrusDB uses a wrapper script (./citrusdb/tools/index.php) to load different modules and tools. The GET parameter “load” specifies which file should be included. With a relative path appended any .php file, that may be accessed by the script, on the server may be included.

Proof of Concept

To include /tmp/exploit.php use:

http://<target>/citrusdb/tools/index.php?load=../../../../../../tmp/exploit

Note: You need to be logged in to access this url.

Workaround

n/a (2005-02-03)

Fix

n/a (2005-02-03)

Security Risk

The security risk is rated medium. An attacker needs to be able to create a .php file on the local filesystem which is normally a high barrier but in shared hosting enviroments this may be easier.

History

  • 2005-02-04 Email sent to author
  • 2005-02-12 CVE number requested
  • 2005-02-14 posted as CAN-2005-0411
  • 2009-05-08 Updated Advisory URL

RedTeam

RedTeam is a penetration testing group working at the Laboratory for Dependable Distributed Systems at RWTH-Aachen University. You can find more information on the RedTeam Project at https://www.redteam-pentesting.de