Remote Code Execution Vulnerability

[EgiX]

Hi,
I've found a vulnerability that afflict the Ajax File Manager plugin. The vulnerable code is located in /admin/editor/plugins/ajaxfilemanager/ajax_create_folder.php

Code: Select all

	@ob_start();
	displayArray($_POST);
	writeInfo(@ob_get_clean());	

The writeInfo() function simply write all the $_POST content into a file called 'data.php' so an attacker could be able to execute arbitrary PHP code.
I suggest to comment out the entire line 13 otherwise you could change 'data.php' with 'data.txt' into /admin/editor/plugins/ajaxfilemanager/inc/function.base.php

Regards,
EgiX

[jason102178]

Thank you for that information EgiX, I will have Thorsten the Lead Developer take a look into this..

Cheers,

Jason

[Thorsten]

Hi,

I'll check it.

bye
Thorsten

[jason102178]

Fixed in 2.7.1 version

also can find fix on github

https://github.com/thorsten/phpMyFAQ/co ... 4456956882

[Thorsten]

HI,

thanks for your hint, 2.6.19 and 2.7.1 were released a couple of minutes ago. I mentioned your name in the security advisory: http://www.phpmyfaq.de/advisory_2011-10-25.php

Thanks again!

bye
Thorsten

[MiloMamino]

Fixed in 2.7.1 version

also can find fix on github

https://github.com/thorsten/phpMyFAQ/co ... 4456956882

This fix seems to help. I will test it and if I face any issues I will contact you again