CVE-2013-2474

An attacker sends a crafted HTTP GET request to `/importer.php` with a malicious `what` parameter. The script fails to sanitize this parameter before passing it to PHP's `file()` function, enabling directory traversal [CWE-22] [ref_id=1]. Because the script sets `text/javascript` Content-Type, exploitation via a browser is inconvenient, but tools like `wget` or `telnet` work easily. The attacker can use NULL-byte injection (`%00.js`) to append a harmless extension, or on systems with PHP 5.3.4+ (where NULL-byte protection is active), a path of many `/////` symbols (4096 slashes) can bypass length restrictions to read arbitrary files [ref_id=1].

The vulnerability is in the `/importer.php` script, which passes the `what` HTTP GET parameter directly to PHP's `file()` function without sufficient filtration [ref_id=1]. The advisory does not show the full source of `importer.php`, but the flaw is in how it handles the `what` parameter before using it in a file-reading operation.

The vendor released AWS XMS version 2.6 to fix the vulnerability [ref_id=1]. The advisory does not include a patch diff, but the fix presumably adds proper input validation or sanitization to the `what` parameter in `/importer.php` before it is used in the `file()` function. Users should upgrade to version 2.6 or later to close the path traversal vector.

1. Identify a target running AWS XMS 2.5. 2. Use `wget` to retrieve the source code of `defaults.php` (which contains configuration data and administrator credentials) via NULL-byte injection: `wget http://[host]/importer.php?what=defaults.php%00.js` [ref_id=1]. 3. If the target runs PHP 5.3.4 or later (which blocks NULL bytes), use path normalization with a large number of `/` symbols: `wget http://[host]/importer.php?what=defaults.php///////...//////.js` (4096 slashes are sufficient on most platforms) [ref_id=1].