Search | Research | Contact Us Tuesday October 10, 2021
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
  3 Multiple Invision Power Board Vulnerabilities
  4 Mambo Multiple Vulnerabilities
  5 eBay And Amazon Still Vulnerable
  6 PEAR XML_RPC Library Remote Code Execution
  7 When Small Mistakes Can Cause Big Problems
  8 Woltlab Burning Board SQL Injection Vulnerability
  9 WordPress And Earlier Multiple Vulnerabilities
10 MySQL Eventum Multiple Vulnerabilities
Need Secure Code?
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Services Archives Research Downloads Contact
paFileDB Multiple Vulnerabilities
June 14, 2022
Vendor : php Arena
Version : paFileDB 3.1 And Earlier
Risk : Multiple Vulnerabilities

paFileDB is a popular open source web application offered by php Arena. paFileDB allows webmasters to open up an interactive file repository on their website. There are a number of vulnerabilities in paFileDB that may allow for an attacker to include arbitrary files, retrieve sensitive user and/or database information, and completely bypass admin, and team member authentication. Users should upgrade immediately.

Cross Site Scripting:
There are a number of cross site scripting issues in the paFileDB software. Majority of these cross site scripting issues stem from concatenated variables never being initialized.




These vulnerabilities can be used to render hostile code in the context of the victims browser, and in turn disclose sensitive information to an attacker.

SQL Injection:
There are a number of SQL Injection vulnerabilities in paFileDB, but it should be noted that to exploit these issues magic quotes gpc must be off. Also, magic quotes off seems to be the default php.ini settings now so I do consider these issues fairly high risk. The most serious of the SQL Injection issues lies in the administrative login.
if ($login == "do") 
	$admin = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_admin WHERE 
        admin_username = '$formname'", 1);
	$formpw = md5($formpass);
	if ($formpw == $admin[admin_password]) 
		$adminip = getenv ("REMOTE_ADDR");
		$ip = md5($adminip);
		$user = $formname;
		$pass = $formpw;
		if ($authmethod == "cookies") 
			$cookiedata = "$ip|$formname|$formpw";
			setcookie("pafiledbcookie", $cookiedata);
		header("Location: admin.php");

The variable $formname is taken directly from the submitted login form and executed in the query, so if magic quotes gpc an attacker can use UNION SELECT to bypass admin authentication!


The query above uses a UNION SELECT to get the admin username, id, email etc but we specify the password hash as the md5 encrypted value of the $formpass variable. This same issue applies to the team login, and also the auth.php scripts in the /teams/ and /admin/ directory.

There is also an SQL Injection vulnerability that will allow for team members to gain the administrative password hash and escalate their privileges to admin.



Last but not least there is a SQL Injection vulnerability in search.php because the $string variable is never sanitized.

There is one SQL Injection issue in paFileDB that does not require magic_ quotes_gpc to be disabled. This particular issue will let a team member run any sql command that they like, including making themselves an admin.


The above url would successfully set the admin password to 1337 if ran by a logged in team member or admin. This vulnerability exists because the $query variable is never declared before being concatenated so we can in turn hijack the $query variable and run any sql commands we like.

Local File Inclusion:
paFileDB is vulnerable to a local file inclusion vulnerability that may allow for an attacker to execute arbitrary local scripts, or read/access arbitrary files on the webserver. Let's look at pafiledb.php

if ($login == "do") { include "./includes/$action/login.php"; exit; }
if ($ad == "logout") { include "./includes/admin/logout.php"; exit; }
if ($tm == "logout") { include "./includes/team/logout.php"; exit; }

The $action variable is never sanitized and vulnerable to directory traversal sequences.


This vulnerability exists on all paFileDB configurations, as all GPC is extracted to global variables.

A new version of paFileDB has been released, so upgrading is advised.

James Bercegay of the GulfTech Security Research Team