lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <411DE372.1080104@ifrance.com>
Date: Sat, 14 Aug 2004 12:03:30 +0200
From: Cyrille Barthelemy <cb-lse@...ance.com>
To: bugtraq@...urityfocus.com
Subject: QuiXplorer directory traversal


Title: 	QuiXplorer directory traversal
Affects:
	<= QuiXplorer 2.3
Effect: file disclosure, web server's user read access
Id: cbsa-0003
Release Date: 2004 08 14
Author: Cyrille Barthelemy <cb-publicbox@...ance.com>


-- 1. Introduction
------------------
 From QuiXplorer documentation :

"QuiXplorer is a simple, but fully functional, file manager for websites.
QuiXplorer allows you to browse the files & directories on your webserver
(with PHP4). (without using an external FTP-client)"


-- 2. Problem
-------------
QuiXplorer does not apply filters on user inputs when a download is 
requested.
The directory parameter is well filtered to check that it does not 
create a request
that goes outside the authorized directories, but the item can contains 
parent directory
references.
As quixplorer does not make the request ing the web server features, any 
file on the
server can be obtained (according to jail or chroot).


-- 3. Solution
--------------
Apply the given attached patch against the QuiXplorer 2.3 sources or 
download the
latest version (2.3.1) from the web site.


-- 4. References
----------------
   - QuiXplorer web site
	http://quixplorer.sourceforge.net/


-- 5. History
-------------
2004-08-12
	- Vulnerability discovered
2004-08-12
	- Vulnerability reported to quixproject at users.sourceforge.net
	- Vendor response, new version available
2004-08-14
	- Release

	
-- 6. Patch
-----------
------------8<-------------

--- quixplorer_2_3.orig/.include/fun_down.php	2003-04-25 
22:15:28.000000000 +0200
+++ quixplorer_2_3/.include/fun_down.php	2004-08-12 14:23:46.551569904 +0200
@@ -39,6 +39,7 @@
 
------------------------------------------------------------------------------*/
 
//------------------------------------------------------------------------------
  function download_item($dir, $item) {		// download file
+       $item=basename($item);
  	if(($GLOBALS["permissions"]&01)!=01) 
show_error($GLOBALS["error_msg"]["accessfunc"]);
  	if(!get_is_file($dir,$item)) show_error($item.": 
".$GLOBALS["error_msg"]["fileexist"]);
  	if(!get_show_item($dir, $item)) show_error($item.": 
".$GLOBALS["error_msg"]["accessfile"]);

------------8<-------------


-- 
Cyrille Barthelemy
Epita SRS
http://www.cyrille-barthelemy.com
http://www.vnet-project.org



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ