CVE-2013-5688

Name of the Vulnerable Software and Affected Versions AjaXplorer versions 5.0.2 and earlier

Description The issue allows remote authenticated users to read arbitrary files or upload files to arbitrary locations via directory traversal vulnerabilities in the index.php file. This can be achieved by using a ../%00 (dot dot backslash encoded null byte) in the file parameter for download or get content actions, or in the dir parameter for an upload action.

Recommendations For AjaXplorer versions 5.0.2 and earlier, consider restricting access to the index.php file until a patch is available, and avoid using the file and dir parameters in the affected actions. As a temporary workaround, restrict the upload functionality to prevent arbitrary file uploads. At the moment, there is no information about a newer version that contains a fix for this vulnerability.