Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Seo Panel 2.1.0 - Critical File Disclosure

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 30 Views

Seo Panel 2.1.0 Critical File Disclosure due to download.php vulnerability allowing unauthorized access to server file

Code

                                                Title: Seo Panel 2.1.0 - Critical File Disclosure

Body:
Seo Panel - Critical File Disclosure
http://www.exploit-db.com/finding-0days-in-web-applications/

Versions Affected: 2.1.0 (previous versions were not checked.)

Info:
A complete open source seo control panel for managing search engine optimization of your websites.
Seo Panel is a seo tool kit includes latest hot seo tools to increase and track the performace of your websites. 

External Links:
http://www.seopanel.in/

Credits: MaXe (@InterN0T)


-:: The Advisory ::-
Seo Panel is prone to Critical File Disclosure due to download.php does not sanitize user-
input properly via the "file" GET-parameter. 
By using ....// instead of ../ to traverse through directories and by appending a %00 byte
in the end of the request it is possible to load virtually any file that the webserver user has
read access to. The PHP function which reads & returns the data from the file is: readfile($var);


Proof of Concept URL:
http://example.tld/seopanel/download.php?filesec=sitemap&filetype=text&file=....//config/sp-config.php%00.txt

Note: This attack requires a valid user though it works regardless of any privileges the user might have. 
(User registrations are enabled by default as well, making this attack possible in most scenarios.)


-:: Solution ::-
download.ctrl.php: (Line 55-62)
55	function isValidFile($fileName) {
56		$fileName = urldecode($fileName);
		// This tries to prevent directory traversal
57		$fileName = str_replace('../', '', $fileName);
58		if (preg_match('/\.xml$|\.html$|\.txt$/i', $fileName)) {
59			return $fileName;
60		}		
61		return false;
62	}
	
Suggested patch: (Line 55-62)
55	function isValidFile($fileName) {
56		$fileName = urldecode($fileName);
		// This isn't as easy to bypass anymore
57		$fileName = str_replace('..', '', $fileName); // This is changed.
58		if (preg_match('/\.xml$|\.html$|\.txt$/i', $fileName)) {
59			return $fileName;
60		}		
61		return false;
62	}


Disclosure Information:
- Vulnerabilities found and researched: 31st October 2010
- Full Disclosure ~Early November 2010

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
seo panelcritical file disclosurevulnerabilitydownload.phpcode patchfull disclosure
30