4images version 1.7.11 suffers from a path traversal vulnerability.
c4757c716ab488a177508f9169af87ac53f3ef3126f3cfd083af1e9588a97ad8Security Advisory - Curesec Research Team
1. Introduction
Affected Product: 4images 1.7.11
Fixed in: 1.7.12
Fixed Version Link: http://www.4homepages.de/download-4images
Vendor Website: http://www.4homepages.de/
Vulnerability Type: Path Traversal
Remote Exploitable: Yes
Reported to vendor: 09/29/2015
Disclosed to public: 12/02/2015
Release mode: Coordinated release
CVE: Requested, but not assigned
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
CVSS
Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
Description
When downloading or displaying a backup file, the file Parameter is vulnerable
to directory traversal. This is the case because the get_basefile function
contains a bug. When the passed path name ends with a slash, it will return the
entire path instead of the file name.
By adding ?/ to the file name, an attacker can thus download or display
arbitrary files.
Admin credentials are required to view or download backup files.
3. Proof of Concept
GET /4images/admin/backup.php?action=downloadbackup&file=../../../../../../etc/passwd?/ HTTP/1.1
GET /4images/admin/backup.php?action=showbackup&file=../../../../../../etc/passwd?/ HTTP/1.1
4. Code
/admin/bachup.php
if (isset($HTTP_GET_VARS['file']) || isset($HTTP_POST_VARS['file'])) {
$file = (isset($HTTP_GET_VARS['file'])) ? get_basefile(trim($HTTP_GET_VARS['file'])) : get_basefile(trim($HTTP_POST_VARS['file']));
}
else {
$file = "";
}
if ($action == "downloadbackup") {
$size = @filesize(ROOT_PATH.DATABASE_DIR."/".$file);
header("Content-type: application/x-unknown");
header("Content-length: $size\n");
header("Content-Disposition: attachment; filename=$file\n");
readfile(ROOT_PATH.DATABASE_DIR."/".$file);
exit;
}
/includes/functions.php
function get_basename($path) {
$path = str_replace("\\", "/", $path);
$name = substr(strrchr($path, "/"), 1);
return $name ? $name : $path;
}
function get_basefile($path) {
$basename = get_basename($path);
preg_match("#(.+)\?(.+)#", $basename, $regs);
return isset($regs[1]) ? $regs[1] : $basename;
}
5. Solution
To mitigate this issue please upgrade at least to version 1.7.12:
http://www.4homepages.de/download-4images
Please note that a newer version might already be available.
6. Report Timeline
09/29/2015 Informed Vendor about Issue
10/21/2015 Reminded Vendor of Disclosure Date
11/03/2015 Vendor releases fix
11/17/2015 CVE Requested (no reply)
12/02/2015 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/4images-1711-Path-Traversal-106.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed