PHP File Vault 0.9 Directory Traversal / File Read

Credit: N_A
Risk: Medium
Local: No
Remote: Yes

PHP File Vault version 0.9 , remote directory traversal and read file vulnerabilty ================================================================================== Discovered by N_A, N_A[at] ====================================== Description =========== A very small PHP website application which stores anonymously uploaded files and retrieves them by SHA1 hash (a fingerprint of the file which is provided after uploading). Developed for , a kanux project. Vulnerability ============= The vulnerability exists within the fileinfo.php file of the package: A A A if (empty($_GET['sha1'])) die("sha1 is required to get file info"); A A A $sha1 = trim($_GET['sha1']); the 'sha1' variable is requested via the GET method. It is passed as a variable to the 'parseFileInfo' function. This function incorporates a call to the fopen() function within PHP: A A A A A A function parseFileInfo($fi) { A A A A A A $fh = fopen($fi,'r'); A A A A A A $fname = trim(fgets($fh)); A A A A A A fclose($fh); A A A A A A return array($fname); A A A A A } The parseFileInfo() function is called within the file fileinfo.php with the 'sha1' variable inside: A A A A A A if (!is_readable(FI.$sha1)) die("cannot read file info!"); A A A A A A list($fname) = parseFileInfo(FI.$sha1); A A A A A A readfile('head.html'); A A A A A A if ($fname) echo "<h1><a href=\"/$sha1\">$fname</a></h1>"; This is the vulnerability that allows parts of *any world readable* file to be read by a remote attacker. Attacks can include gathering sensitive information, .bash_history, .rhosts, /etc/passwd and so on. Proof Of Concept ================ PoC exploit =

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017,


Back to Top