Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Seo Panel 2.1.0 File Disclosure

🗓️ 09 Nov 2010 00:00:00Reported by MaXeType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 22 Views

Seo Panel 2.1.0 Critical File Disclosure in download.ph

Code
`Seo Panel - Critical File Disclosure  
  
  
Versions Affected: 2.1.0 (previous versions were not checked.)  
  
Info:  
A complete open source seo control panel for managing search engine optimization of your websites.  
Seo Panel is a seo tool kit includes latest hot seo tools to increase and track the performace of your websites.  
  
External Links:  
http://www.seopanel.in/  
  
Credits: MaXe (@InterN0T)  
  
  
-:: The Advisory ::-  
Seo Panel is prone to Critical File Disclosure due to download.php does not sanitize user-  
input properly via the "file" GET-parameter.  
By using ....// instead of ../ to traverse through directories and by appending a %00 byte  
in the end of the request it is possible to load virtually any file that the webserver user has  
read access to. The PHP function which reads & returns the data from the file is: readfile($var);  
  
  
Proof of Concept URL:  
http://example.tld/seopanel/download.php?filesec=sitemap&filetype=text&file=....//config/sp-config.php%00.txt  
  
Note: This attack requires a valid user though it works regardless of any privileges the user might have.  
(User registrations are enabled by default as well, making this attack possible in most scenarios.)  
  
  
-:: Solution ::-  
download.ctrl.php: (Line 55-62)  
55 function isValidFile($fileName) {  
56 $fileName = urldecode($fileName);  
// This tries to prevent directory traversal  
57 $fileName = str_replace('../', '', $fileName);  
58 if (preg_match('/\.xml$|\.html$|\.txt$/i', $fileName)) {  
59 return $fileName;  
60 }   
61 return false;  
62 }  
  
Suggested patch: (Line 55-62)  
55 function isValidFile($fileName) {  
56 $fileName = urldecode($fileName);  
// This isn't as easy to bypass anymore  
57 $fileName = str_replace('..', '', $fileName); // This is changed.  
58 if (preg_match('/\.xml$|\.html$|\.txt$/i', $fileName)) {  
59 return $fileName;  
60 }   
61 return false;  
62 }  
  
  
Disclosure Information:  
- Vulnerabilities found and researched: 31st October 2010  
- Full Disclosure 8th November 2010  
  
References:  
http://www.exploit-db.com/finding-0days-in-web-applications/  
http://www.youtube.com/watch?v=ni3inoHkOPc  
http://forum.intern0t.net/intern0t-advisories/3329-search-engine-optimization-panel-2-1-0-critical-file-disclosure.html  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Nov 2010 00:00Current
seo panelfile disclosurecriticalvulnerabilityweb applicationpatchexploituser inputphpsecurity advisory
22