Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Advisory: Directory traversal in CitrusDB
From: Maximillian Dornseif <dornseif () informatik rwth-aachen de>
Date: Mon, 14 Feb 2005 22:31:30 +0100

                  Advisory: Directory traversal in CitrusDB

RedTeam found a directory traversal vulnerability in CitrusDB which results
in inclusion of any accessible local .php file.


Product: CitrusDB
Affected Version: 0.3.6, probably <= 0.3.5, too
Immune Version: none (2005-02-03)
OS affected: all
Security-Risk: medium
Remote-Exploit: no
Vendor-URL: http://www.citrusdb.org
Vendor-Status: informed
Advisory-URL: http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005 -005
Advisory-Status: public
CVE: CAN-2005-0411 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0411#)


Description from vendor: "CitrusDB is an open source customer database
application that uses PHP and a database backend (currently MySQL) to keep
track of customer information, services, products, billing, and customer
service information."

It is possible to include any local accessible .php file.

More Details

CitrusDB uses a wrapper script (./citrusdb/tools/index.php) to load different modules and tools. The GET parameter "load" specifies which file should be included. With a relative path appended any .php file, that may be accessed
by the script, on the server may be included.

Proof of Concept

To include /tmp/exploit.php use:
http://<target>/citrusdb/tools/index.php?load=../../../../../../tmp/ exploit
Note: You need to be logged in to access this url.


n/a (2005-02-03)


n/a (2005-02-03)

Security Risk

The security risk is rated medium. An attacker needs to be able to create a .php file on the local filesystem which is normally a high barrier but in
shared hosting enviroments this may be easier.


2005-02-04 Email sent to author
2005-02-12 CVE number requested
2005-02-14 posted as CAN-2005-0411


RedTeam is a penetration testing group working at the Laboratory for
Dependable Distributed Systems at RWTH-Aachen University. You can find more
Information on the RedTeam Project at

Maximillian Dornseif, Dipl. Jur., CISSP
Laboratory for Dependable Distributed Systems, RWTH Aachen University
Tel. +49 241 80-21431 - http://md.hudora.de/

Attachment: smime.p7s

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • Advisory: Directory traversal in CitrusDB Maximillian Dornseif (Feb 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]