webgrind 1.0 (file param) Local File Inclusion Vulnerability

Title: webgrind 1.0 (file param) Local File Inclusion Vulnerability
Advisory ID: ZSL-2012-5075
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 25.02.2012
Summary
Webgrind is an Xdebug profiling web frontend in PHP5.
Description
webgrind suffers from a file inclusion vulnerability (LFI) when input passed thru the 'file' parameter to index.php is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.

--------------------------------------------------------------------------------

/index.php:
-----------
122: case 'fileviewer':
123: $file = get('file');
124: $line = get('line');

--------------------------------------------------------------------------------

Vendor
Joakim Nygard and Jacob Oettinger - http://code.google.com/p/webgrind
Affected Version
1.0 (v1.02 in trunk on github)
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.21
PHP 5.3.9
MySQL 5.5.20
Vendor Status
[22.02.2012] Vulnerability discovered.
[22.02.2012] Vendor notified.
[24.02.2012] No response from the vendor.
[25.02.2012] Public security advisory released.
PoC
webgrind_lfi.txt
Credits
Vulnerability discovered by Michael Meyer - <michael.meyer@greenbone.net>
References
[1] http://code.google.com/p/webgrind/issues/detail?id=66
[2] http://cxsecurity.com/issue/WLB-2012020223
[3] http://www.exploit-db.com/exploits/18523/
[4] http://packetstormsecurity.org/files/110216
[5] http://www.osvdb.org/show/osvdb/80346
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1790
[7] http://xforce.iss.net/xforce/xfdb/73509
[8] http://www.securityfocus.com/bid/52644
Changelog
[25.02.2012] - Initial release
[28.02.2012] - Added reference [4]
[27.03.2012] - Added reference [5], [6] and [7]
[01.10.2012] - Added reference [8]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk