Multiple Vulnerabilities found in Rapidleech 1. General Information Rapidleech is a Web based application supporting file upload and download on the Internet, especially files from popular sites such as rapidshare.com, megaupload.com, depositfiles.com. On March 03, 2009, Bkis has detected several vulnerabilities in the upload function of Rapidleech. These are highly critical vulnerabilities, allowing hackers to collect a lot of sensitive information, and even execute malicious code to take control of the server. We have submitted to Developer Team (www.rapidleech.com). Details : http://security.bkis.vn/?p=345 Bkis Advisory : Bkis-03-2009 Initial vendor notification : 03/04/2009 Release Date : 03/14/2009 Update Date : 03/14/2009 Discovered by : Dau Huy Ngoc, Bkis Attack Type : Arbitrary File Download, Local File Inclusion, XSS Security Rating : Critical Impact : Code Execution Affected Software : Rapidleech <= rev.36 2. Description These vulnerabilities are found in the Upload function, which gives users the ability to transfer their downloaded files to Websites supporting file sharing and storage such as yousendit.com, 4shared.com. The first flaw (Arbitrary File Download) is due to the fact that Rapidleech does not perform careful check on the paths of downloaded files. More precisely, the file path must be an absolute path encoded in base64 and can point to whichever files on servers. This path is sent from users as "filename" parameter via GET method. This allows hackers to access arbitrary files on a Rapidleech server, especially files containing sensitive information, for e.g. "/etc/passwd". The second flaw is a Local File Inclusion vulnerability, which occurs because programmers did not perform check on the input parameter of the include_once() function. This input is also sent from users via "uploaded" parameter and is a relative path to a script file which uploads file to a particular file sharing websites, for instance, yousendit.index.php, 4shared.index.php. Therefore, hackers can read the content of an arbitrary file by making the path in the input point to that file. If that file contains malicious code, hackers can take control of the Rapidleech's Server. In order to successfully exploit the vulnerability, hackers only need to perform a GET method from the browser with his desired file name and file path parameters. Depending on the purpose of hackers, as well as the configuration of Rapidleech Server, they can get sensitive information, or even take complete control of Rapidleech's Server. In addition, we have also found an XSS vulnerability in the Upload function, which allows executing JavaScript from browsers. However, this vulnerability is only rated medium severity. 3. Solution At the moment, the producer hasn't released the patch for this vulnerability yet. Therefore, Bkis recommends that all organizations and individuals using Rapidleech: . Do not use the Upload function of Rapidleech until the producer release the patch. . Or download and apply this patch here (note: this is the patch provided by Bkis, not the producer). www.Bkis.vn