lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 07 Dec 2015 18:12:49 +0100
From: "Curesec Research Team (CRT)" <>
Subject: [FD] 4images 1.7.11: Path Traversal

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    4images 1.7.11
Fixed in:            1.7.12
Fixed Version Link:
Vendor Website:
Vulnerability Type:  Path Traversal
Remote Exploitable:  Yes
Reported to vendor:  09/29/2015
Disclosed to public: 12/02/2015
Release mode:        Coordinated release
CVE:                 Requested, but not assigned
Credits              Tim Coen of Curesec GmbH

2. Vulnerability Description


Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N


When downloading or displaying a backup file, the file Parameter is vulnerable
to directory traversal. This is the case because the get_basefile function
contains a bug. When the passed path name ends with a slash, it will return the
entire path instead of the file name.

By adding ?/ to the file name, an attacker can thus download or display
arbitrary files.

Admin credentials are required to view or download backup files.

3. Proof of Concept

GET /4images/admin/backup.php?action=downloadbackup&file=../../../../../../etc/passwd?/ HTTP/1.1
GET /4images/admin/backup.php?action=showbackup&file=../../../../../../etc/passwd?/ HTTP/1.1

4. Code

        if (isset($HTTP_GET_VARS['file']) || isset($HTTP_POST_VARS['file'])) {
          $file = (isset($HTTP_GET_VARS['file'])) ? get_basefile(trim($HTTP_GET_VARS['file'])) : get_basefile(trim($HTTP_POST_VARS['file']));
        else {
          $file = "";

        if ($action == "downloadbackup") {
          $size = @filesize(ROOT_PATH.DATABASE_DIR."/".$file);
          header("Content-type: application/x-unknown");
          header("Content-length: $size\n");
          header("Content-Disposition: attachment; filename=$file\n");

        function get_basename($path) {
          $path = str_replace("\\", "/", $path);
          $name = substr(strrchr($path, "/"), 1);
          return $name ? $name : $path;

        function get_basefile($path) {
          $basename = get_basename($path);
          preg_match("#(.+)\?(.+)#", $basename, $regs);
          return isset($regs[1]) ? $regs[1] : $basename;

5. Solution

To mitigate this issue please upgrade at least to version 1.7.12:

Please note that a newer version might already be available.

6. Report Timeline

09/29/2015 Informed Vendor about Issue
10/21/2015 Reminded Vendor of Disclosure Date
11/03/2015 Vendor releases fix
11/17/2015 CVE Requested (no reply)
12/02/2015 Disclosed to public

Blog Reference:

Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists