BID:39623

LightNEasy 'get_file.php' Local File Disclosure Vulnerability

Info

LightNEasy 'get_file.php' Local File Disclosure Vulnerability

Bugtraq ID:	39623
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Apr 21 2010 12:00AM
Updated:	Apr 21 2010 12:00AM
Credit:	ITSecTeam
Vulnerable:	LightNEasy LightNEasy 3.1.1 LightNEasy LightNEasy 3.1

Not Vulnerable:

Discussion

LightNEasy 'get_file.php' Local File Disclosure Vulnerability

LightNEasy is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.

LightNEasy 3.1 and 3.1.1 are vulnerable; other versions may also be affected.

Exploit / POC

LightNEasy 'get_file.php' Local File Disclosure Vulnerability

Attackers may exploit this issue through a browser.

The following example URI is available:

http://www.example.com/plugins/filemanager/get_file.php?file=[file_to_read]

Solution / Fix

LightNEasy 'get_file.php' Local File Disclosure Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

References

LightNEasy 'get_file.php' Local File Disclosure Vulnerability

References:

LightNEasy Homepage (LightNEasy)
LightNEasy 3.1.x Multiple Vulnerabilites ([email protected])