CVE-2004-0237

Vulnerability

A directory traversal vulnerability exists in index.php of Aprox PHP Portal. The application fails to sanitize the show parameter, allowing an attacker to supply a full pathname to read arbitrary files from the server filesystem. This affects all versions of Aprox PHP Portal known at the time of disclosure [1].

Exploitation

An attacker can exploit this vulnerability by sending an HTTP GET request to the vulnerable server with the show parameter set to an absolute path to a target file, such as /etc/passwd. No authentication or special privileges are required; the attacker only needs network access to the web server [1].

Impact

Successful exploitation allows the attacker to read arbitrary files on the server, including sensitive system files like /etc/passwd. This results in information disclosure, potentially exposing credentials, configuration data, or other confidential information. The attack is limited to file read operations; it does not provide write access or remote code execution [1].

Mitigation

The available reference [1] does not mention any vendor-supplied fix or workaround. As Aprox PHP Portal may be legacy or unsupported, the recommended mitigation is to decommission or replace the software with a supported alternative. Users should restrict network access to the vulnerable application until migration is complete.