skip to navigation. Skip to the content.
> Advisories > rt-sa-2005-005 vertical divider

Directory traversal in CitrusDB

RedTeam found a directory traversal vulnerability in CitrusDB which results in inclusion of any accessible local .php file.


Product: CitrusDB
Affected Version: 0.3.6, probably <= 0.3.5, too
Immune Version: none (2005-02-03)
OS affected: all
Security-Risk: medium
Remote-Exploit: no
Vendor-Status: informed
Advisory-Status: public
CVE: CAN-2005-0411


Description from vendor: "CitrusDB is an open source customer database
application that uses PHP and a database backend (currently MySQL) to keep track of customer information, services, products, billing, and customer service information."

It is possible to include any local accessible .php file. 

More Details

CitrusDB uses a wrapper script (./citrusdb/tools/index.php) to load different modules and tools. The GET parameter "load"   specifies which file should be included. With a relative path appended any .php file, that may be accessed by the script, on the server may be included.

Proof of Concept

To include /tmp/exploit.php use:
Note: You need to be logged in to access this url.


n/a (2005-02-03)


n/a (2005-02-03)

Security Risk

The security risk is rated medium. An attacker needs to be able to create a .php file on the local filesystem which is normally a high barrier but in shared hosting enviroments this may be easier.


2005-02-04 Email sent to author 
2005-02-12 CVE number requested 
2005-02-14 posted as CAN-2005-0411
2009-05-08 Updated Advisory URL


RedTeam is a penetration testing group working at the Laboratory for Dependable Distributed Systems at RWTH-Aachen University. You can find more information on the RedTeam Project at