Multiple Vulnerabilities found in Rapidleech

1. General Information

Rapidleech is a Web based application supporting file upload and download on
the Internet, especially files from popular sites such as rapidshare.com,
megaupload.com, depositfiles.com.

On March 03, 2009, Bkis has detected several vulnerabilities in the upload
function of Rapidleech. These are highly critical vulnerabilities, allowing
hackers to collect a lot of sensitive information, and even execute
malicious code to take control of the server. We have submitted to Developer
Team (www.rapidleech.com).

Details         : http://security.bkis.vn/?p=345
Bkis Advisory      : Bkis-03-2009
Initial vendor notification  : 03/04/2009
Release Date       : 03/14/2009
Update Date        : 03/14/2009
Discovered by      : Dau Huy Ngoc, Bkis
Attack Type        : Arbitrary File Download, Local
File Inclusion, XSS
Security Rating      : Critical
Impact        : Code Execution
Affected Software      : Rapidleech <= rev.36

2. Description

These vulnerabilities are found in the Upload function, which gives users
the ability to transfer their downloaded files to Websites supporting file
sharing and storage such as yousendit.com, 4shared.com.

The first flaw (Arbitrary File Download) is due to the fact that Rapidleech
does not perform careful check on the paths of downloaded files. More
precisely, the file path must be an absolute path encoded in base64 and can
point to whichever files on servers. This path is sent from users as
"filename" parameter via GET method. This allows hackers to access arbitrary
files on a Rapidleech server, especially files containing sensitive
information, for e.g. "/etc/passwd".

The second flaw is a Local File Inclusion vulnerability, which occurs
because programmers did not perform check on the input parameter of the
include_once() function. This input is also sent from users via "uploaded"
parameter and is a relative path to a script file which uploads file to a
particular file sharing websites, for instance, yousendit.index.php,
4shared.index.php. Therefore, hackers can read the content of an arbitrary
file by making the path in the input point to that file. If that file
contains malicious code, hackers can take control of the Rapidleech's
Server.

In order to successfully exploit the vulnerability, hackers only need to
perform a GET method from the browser with his desired file name and file
path parameters. Depending on the purpose of hackers, as well as the
configuration of Rapidleech Server, they can get sensitive information, or
even take complete control of Rapidleech's Server.

In addition, we have also found an XSS vulnerability in the Upload function,
which allows executing JavaScript from browsers. However, this vulnerability
is only rated medium severity.

3. Solution

At the moment, the producer hasn't released the patch for this vulnerability
yet. Therefore, Bkis recommends that all organizations and individuals using
Rapidleech:
. Do not use the Upload function of Rapidleech until the producer release
the patch.
. Or download and apply this patch here (note: this is the patch provided by
Bkis, not the producer).

www.Bkis.vn