lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: jay at j-security.co.uk (J)
Subject: Snif 1.2.4 file retrieval bug


Vendor:			http://www.bitfolge.de
Bug Found: 		November 24 2003
Date Reported:		November 25, 2003
Severity:		High
Systems Affected:	Any running PHP


1. About Snif
-------------

>From website :

Snif is a simple and nice index file.

Server generated directory indexes are ugly. OK, they work 
everywhere, but they are still ugly. If you'd like your download 
directory to be maintainable without creating and changing huge 
HTML files, just put snif as its index file into the directory and 
away you go!

Features:  	 
	
	- Ready to run: you don't have to change anything, just put snif 
	into a directory and let it do its job.
	- Single file, does not clutter your directories
	- File and directory descriptions
	- Download files instead of opening them	
	- Listing sortable by name, size or date
	- Display sub directories and handle direct requests to them gently
	- Built-in file icons
	- Optional: use external icons instead of built-in ones


2. Problem Description
----------------------

The script takes two query-strings "path" and "download" from the URL and 
concatenates them. It stores the result in the variable $filename 
which is the file to be downloaded. 
By default the value for the path variable is set to NULL and there is no 
error checking to see if the "download" querystring is outside the default 
directory. Thus an attacker could change the "download" querystring to any 
file on the file system while leaving the "path" NULL. This would allow 
him/her to download the file requested.


<code>
// this handles the download requests
if ($_GET["download"]!="") {
	// This is were the path checking fails
	$filename = $path.$_GET["download"];
	if (
		!file_exists($filename)
		OR fileIsHidden($_GET["download"])
		OR (substr(strtolower($_GET["download"]), -4)==".php" AND !$allowPHPDownloads)) {
		
		Header("HTTP/1.0 404 Not Found");
		echo "<b>Error: File not found.</b><br><br>we suggest you 
		<a href=\"".$_SERVER["HTTP_REFERER"]."\">go back</a>";
	} else {
		Header("Content-Length: ".filesize($filename));
		Header("Content-Type: application/x-download");
		Header("Content-Disposition: attachment; filename=".$_GET["download"]);
		readfile($filename);
	}
	die();
}
</code>

An Example : 
	http://www.yourserver.com/snif/index.php?download=/etc/passwd


3. Vulnerable Versions
----------------------

All versions before 1.2.5 are vulnerable


4. Solution
------------

Download version 1.2.5 from the vendors homepage. 
http://www.bitfolge.de/snif



5. Timeline
------------

24 November 2003 - Bug Found
25 November 2003 - Vendor Contacted
26 November 2003 - Vendor Fixed Bug



Regards
Jay

jay@...ecurity.co.uk


Powered by blists - more mailing lists