← Advisories

webgrind 1.0 (file param) Local File Inclusion Vulnerability

Medium

Advisory ID

ZSL-2012-5075

Release Date

25 February 2012

Vendor

Joakim Nygard and Jacob Oettinger - http://code.google.com/p/webgrind

Affected Version

1.0 (v1.02 in trunk on github)

CVE

CVE-2012-1790

Tested On

Microsoft Windows XP Professional SP3 (EN), Apache 2.2.21, PHP 5.3.9, MySQL 5.5.20

Summary

Webgrind is an Xdebug profiling web frontend in PHP5.

Description

webgrind suffers from a file inclusion vulnerability (LFI) when input passed thru the 'file' parameter to index.php is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.

/index.php:
-----------
122: case 'fileviewer':
123:     $file = get('file');
124:     $line = get('line');

Proof of Concept

webgrind_lfi.txtTXT

Disclosure Timeline

22.02.2012Vulnerability discovered.

22.02.2012Vendor notified.

24.02.2012No response from the vendor.

25.02.2012Public security advisory released.

Credits

Vulnerability discovered by Michael Meyer

References

[1]http://code.google.com/p/webgrind/issues/detail?id=66

[2]http://cxsecurity.com/issue/WLB-2012020223

[3]http://www.exploit-db.com/exploits/18523/

[4]http://packetstormsecurity.org/files/110216

[5]http://www.osvdb.org/show/osvdb/80346

[6]http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1790

[7]http://xforce.iss.net/xforce/xfdb/73509

[8]http://www.securityfocus.com/bid/52644

Changelog

25.02.2012Initial release

28.02.2012Added reference [4]

27.03.2012Added reference [5], [6] and [7]

01.10.2012Added reference [8]