| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 8 Nov 2010 10:50:08 -0800
From: Zach C <fxchip@...il.com>
To: "advisories@...ern0t.net" <advisories@...ern0t.net>
Cc: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: Re: Seo Panel 2.1.0 - Critical File Disclosure
This is really a non-fix, as some legitimate files might have the double-period as part of its name and might still be circumvented with exactly the same string you provided here minus one slash.
The real solution would be to get the absolute path of the file provided and fail if that path isn't beneath the current directory/directory this should operate under. Something like:
$fnCheck = realpath($fileName);
If ($fnCheck === FALSE || strncasecmp(getcwd(), $fnCheck, strlen(getcwd())) return false;
(replacing getcwd() with whatever dir this should work with if not the current one)
-Zach
Sent from my iPhone
On Nov 8, 2010, at 7:00 AM, advisories@...ern0t.net wrote:
> Seo Panel - Critical File Disclosure
>
>
> Versions Affected: 2.1.0 (previous versions were not checked.)
>
> Info:
> A complete open source seo control panel for managing search engine optimization of your websites.
> Seo Panel is a seo tool kit includes latest hot seo tools to increase and track the performace of your websites.
>
> External Links:
> http://www.seopanel.in/
>
> Credits: MaXe (@InterN0T)
>
>
> -:: The Advisory ::-
> Seo Panel is prone to Critical File Disclosure due to download.php does not sanitize user-
> input properly via the "file" GET-parameter.
> By using ....// instead of ../ to traverse through directories and by appending a %00 byte
> in the end of the request it is possible to load virtually any file that the webserver user has
> read access to. The PHP function which reads & returns the data from the file is: readfile($var);
>
>
> Proof of Concept URL:
> http://example.tld/seopanel/download.php?filesec=sitemap&filetype=text&file=....//config/sp-config.php%00.txt
>
> Note: This attack requires a valid user though it works regardless of any privileges the user might have.
> (User registrations are enabled by default as well, making this attack possible in most scenarios.)
>
>
> -:: Solution ::-
> download.ctrl.php: (Line 55-62)
> 55 function isValidFile($fileName) {
> 56 $fileName = urldecode($fileName);
> // This tries to prevent directory traversal
> 57 $fileName = str_replace('../', '', $fileName);
> 58 if (preg_match('/\.xml$|\.html$|\.txt$/i', $fileName)) {
> 59 return $fileName;
> 60 }
> 61 return false;
> 62 }
>
> Suggested patch: (Line 55-62)
> 55 function isValidFile($fileName) {
> 56 $fileName = urldecode($fileName);
> // This isn't as easy to bypass anymore
> 57 $fileName = str_replace('..', '', $fileName); // This is changed.
> 58 if (preg_match('/\.xml$|\.html$|\.txt$/i', $fileName)) {
> 59 return $fileName;
> 60 }
> 61 return false;
> 62 }
>
>
> Disclosure Information:
> - Vulnerabilities found and researched: 31st October 2010
> - Full Disclosure 8th November 2010
>
> References:
> http://www.exploit-db.com/finding-0days-in-web-applications/
> http://www.youtube.com/watch?v=ni3inoHkOPc
> http://forum.intern0t.net/intern0t-advisories/3329-search-engine-optimization-panel-2-1-0-critical-file-disclosure.html
Powered by blists - more mailing lists