[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20031126230151.78bc0d6d.jay@j-security.co.uk>
From: jay at j-security.co.uk (J)
Subject: Snif 1.2.4 file retrieval bug
Vendor: http://www.bitfolge.de
Bug Found: November 24 2003
Date Reported: November 25, 2003
Severity: High
Systems Affected: Any running PHP
1. About Snif
-------------
>From website :
Snif is a simple and nice index file.
Server generated directory indexes are ugly. OK, they work
everywhere, but they are still ugly. If you'd like your download
directory to be maintainable without creating and changing huge
HTML files, just put snif as its index file into the directory and
away you go!
Features:
- Ready to run: you don't have to change anything, just put snif
into a directory and let it do its job.
- Single file, does not clutter your directories
- File and directory descriptions
- Download files instead of opening them
- Listing sortable by name, size or date
- Display sub directories and handle direct requests to them gently
- Built-in file icons
- Optional: use external icons instead of built-in ones
2. Problem Description
----------------------
The script takes two query-strings "path" and "download" from the URL and
concatenates them. It stores the result in the variable $filename
which is the file to be downloaded.
By default the value for the path variable is set to NULL and there is no
error checking to see if the "download" querystring is outside the default
directory. Thus an attacker could change the "download" querystring to any
file on the file system while leaving the "path" NULL. This would allow
him/her to download the file requested.
<code>
// this handles the download requests
if ($_GET["download"]!="") {
// This is were the path checking fails
$filename = $path.$_GET["download"];
if (
!file_exists($filename)
OR fileIsHidden($_GET["download"])
OR (substr(strtolower($_GET["download"]), -4)==".php" AND !$allowPHPDownloads)) {
Header("HTTP/1.0 404 Not Found");
echo "<b>Error: File not found.</b><br><br>we suggest you
<a href=\"".$_SERVER["HTTP_REFERER"]."\">go back</a>";
} else {
Header("Content-Length: ".filesize($filename));
Header("Content-Type: application/x-download");
Header("Content-Disposition: attachment; filename=".$_GET["download"]);
readfile($filename);
}
die();
}
</code>
An Example :
http://www.yourserver.com/snif/index.php?download=/etc/passwd
3. Vulnerable Versions
----------------------
All versions before 1.2.5 are vulnerable
4. Solution
------------
Download version 1.2.5 from the vendors homepage.
http://www.bitfolge.de/snif
5. Timeline
------------
24 November 2003 - Bug Found
25 November 2003 - Vendor Contacted
26 November 2003 - Vendor Fixed Bug
Regards
Jay
jay@...ecurity.co.uk
Powered by blists - more mailing lists