lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 8 Nov 2010 08:00:06 -0700
Subject: Seo Panel 2.1.0 - Critical File Disclosure

Seo Panel - Critical File Disclosure

Versions Affected: 2.1.0 (previous versions were not checked.)
A complete open source seo control panel for managing search engine optimization of your websites.
Seo Panel is a seo tool kit includes latest hot seo tools to increase and track the performace of your websites.
External Links:
Credits: MaXe (@InterN0T)
-:: The Advisory ::-
Seo Panel is prone to Critical File Disclosure due to download.php does not sanitize user-
input properly via the "file" GET-parameter.
By using ....// instead of ../ to traverse through directories and by appending a %00 byte
in the end of the request it is possible to load virtually any file that the webserver user has
read access to. The PHP function which reads & returns the data from the file is: readfile($var);
Proof of Concept URL:
Note: This attack requires a valid user though it works regardless of any privileges the user might have.
(User registrations are enabled by default as well, making this attack possible in most scenarios.)
-:: Solution ::-
download.ctrl.php: (Line 55-62)
55  function isValidFile($fileName) {
56      $fileName = urldecode($fileName);
        // This tries to prevent directory traversal
57      $fileName = str_replace('../', '', $fileName);
58      if (preg_match('/\.xml$|\.html$|\.txt$/i', $fileName)) {
59          return $fileName;
60      }      
61      return false;
62  }
Suggested patch: (Line 55-62)
55  function isValidFile($fileName) {
56      $fileName = urldecode($fileName);
        // This isn't as easy to bypass anymore
57      $fileName = str_replace('..', '', $fileName); // This is changed.
58      if (preg_match('/\.xml$|\.html$|\.txt$/i', $fileName)) {
59          return $fileName;
60      }      
61      return false;
62  }
Disclosure Information:
- Vulnerabilities found and researched: 31st October 2010
- Full Disclosure 8th November 2010


Powered by blists - more mailing lists