4images 1.7.11 Path Traversal

2015.12.14
Credit: Tim Coen
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-22

Security Advisory - Curesec Research Team 1. Introduction Affected Product: 4images 1.7.11 Fixed in: 1.7.12 Fixed Version Link: http://www.4homepages.de/download-4images Vendor Website: http://www.4homepages.de/ Vulnerability Type: Path Traversal Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 12/02/2015 Release mode: Coordinated release CVE: Requested, but not assigned Credits Tim Coen of Curesec GmbH 2. Vulnerability Description CVSS Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N Description When downloading or displaying a backup file, the file Parameter is vulnerable to directory traversal. This is the case because the get_basefile function contains a bug. When the passed path name ends with a slash, it will return the entire path instead of the file name. By adding ?/ to the file name, an attacker can thus download or display arbitrary files. Admin credentials are required to view or download backup files. 3. Proof of Concept GET /4images/admin/backup.php?action=downloadbackup&file=../../../../../../etc/passwd?/ HTTP/1.1 GET /4images/admin/backup.php?action=showbackup&file=../../../../../../etc/passwd?/ HTTP/1.1 4. Code /admin/bachup.php if (isset($HTTP_GET_VARS['file']) || isset($HTTP_POST_VARS['file'])) { $file = (isset($HTTP_GET_VARS['file'])) ? get_basefile(trim($HTTP_GET_VARS['file'])) : get_basefile(trim($HTTP_POST_VARS['file'])); } else { $file = ""; } if ($action == "downloadbackup") { $size = @filesize(ROOT_PATH.DATABASE_DIR."/".$file); header("Content-type: application/x-unknown"); header("Content-length: $size\n"); header("Content-Disposition: attachment; filename=$file\n"); readfile(ROOT_PATH.DATABASE_DIR."/".$file); exit; } /includes/functions.php function get_basename($path) { $path = str_replace("\\", "/", $path); $name = substr(strrchr($path, "/"), 1); return $name ? $name : $path; } function get_basefile($path) { $basename = get_basename($path); preg_match("#(.+)\?(.+)#", $basename, $regs); return isset($regs[1]) ? $regs[1] : $basename; } 5. Solution To mitigate this issue please upgrade at least to version 1.7.12: http://www.4homepages.de/download-4images Please note that a newer version might already be available. 6. Report Timeline 09/29/2015 Informed Vendor about Issue 10/21/2015 Reminded Vendor of Disclosure Date 11/03/2015 Vendor releases fix 11/17/2015 CVE Requested (no reply) 12/02/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/4images-1711-Path-Traversal-106.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top