search

alfredleo / fimap

Automatically exported from code.google.com/p/fimap
0 stars 1 forks source link

Not detecting an existing LFI #32

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
A LFI exists in a server with this form:

http://domain.com/content.php?page=projects/multimodal/index.php?page=/../../../
../../local/file

But somehow fimap it's unable to detect it.

I tried with some possibilities but no luck:

./fimap.py -u 
'http://domain.com/content.php?page=projects/multimodal/index.php?page='

./fimap.py -u 
'http://domain.com/content.php?page=projects/multimodal/index.php?page'

The fimap version is alpha_v08.1

PS: If necessary I can send you the details by email

Original issue reported on code.google.com by gorilla....@gmail.com on 10 Jun 2010 at 6:36

GoogleCodeExporter commented 9 years ago 
Hi man!

Are you sure that the error message is visible on the server?
If not you should enable blind scanning (--enable-blind) to "bruteforce" the 
pathes instead of the "smart" method fimap uses.

If the error message is visible and you are sure that is a bug please send me 
the details to fimap.dev@gmail.com

Thank you very much!
-imax.

Original comment by fimap....@gmail.com on 10 Jun 2010 at 6:47

GoogleCodeExporter commented 9 years ago 
Yeah you are right, the error message is not visible. Anyway I tried with blind 
option with no results.

I'm sending you a private message with the details.

Thanks!

Original comment by gorilla....@gmail.com on 10 Jun 2010 at 7:26

GoogleCodeExporter commented 9 years ago 
We exchanged some emails.
The final decision is to make it possible to exploit also cases like you have 
posted above.
I have already an idea how to implement it into fimap.

Thank you for letting me know this missing feature!
-imax.

Original comment by fimap....@gmail.com on 12 Jun 2010 at 11:44