Snif Arbitrary File Retrieval

2003-11-25T04:45:07
ID OSVDB:2870
Type osvdb
Reporter OSVDB
Modified 2003-11-25T04:45:07

Description

Vulnerability Description

Snif has a flaw in which the script uses two query-strings ("path" and "download") from the supplied URL and concatenates them. The script has no sanity checking for the $filename variable which allows an attacker to supply arbitrary files to be downloaded or viewed.

Solution Description

Upgrade to version 1.2.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Snif has a flaw in which the script uses two query-strings ("path" and "download") from the supplied URL and concatenates them. The script has no sanity checking for the $filename variable which allows an attacker to supply arbitrary files to be downloaded or viewed.

Manual Testing Notes

http://[target]/snif/index.php?download=/etc/passwd

References:

Secunia Advisory ID:10302 Nessus Plugin ID:11944 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2003-q4/2983.html ISS X-Force ID: 13876 Bugtraq ID: 9121