FD Script FName Parameter Information Disclosure Vulnerability

Bugtraq ID:	22265
Class:	Input Validation Error
CVE:	CVE-2007-0620
Remote:	Yes
Local:	No
Published:	Jan 26 2007 12:00AM
Updated:	May 12 2015 07:35PM
Credit:	ajann is credited with the discovery of this vulnerability.
Vulnerable:	Vlad Leont FD Script 1.3.2 Vlad Leont FD Script 1.3.1 Vlad Leont FD Script 1.3
Not Vulnerable:

FD Script FName Parameter Information Disclosure Vulnerability

FD Script is prone to an information-disclosure vulnerability because the application fails to sufficiently sanitize user-supplied input.

An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable system in the context of the webserver process. Information obtained may aid in further attacks.

FD Script 1.32 and prior versions are vulnerable to this issue.

FD Script FName Parameter Information Disclosure Vulnerability

Attackers can exploit this vulnerability with a standard web browser.

An example URI has been provided:

http://www,example.com/download.php?fname=[SOURCE FILE]

FD Script FName Parameter Information Disclosure Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

FD Script FName Parameter Information Disclosure Vulnerability

References:

• FD Script Homepage (Vlad Leonte)
  
• FdScript <= v1.3.2 Remote File Disclosure Vulnerability ([email protected])