Full Disclosure mailing list archives
Snif 1.2.4 file retrieval bug
From: J <jay () j-security co uk>
Date: Wed, 26 Nov 2003 23:01:51 +0000
Vendor: http://www.bitfolge.de Bug Found: November 24 2003 Date Reported: November 25, 2003 Severity: High Systems Affected: Any running PHP 1. About Snif -------------
From website :
Snif is a simple and nice index file. Server generated directory indexes are ugly. OK, they work everywhere, but they are still ugly. If you'd like your download directory to be maintainable without creating and changing huge HTML files, just put snif as its index file into the directory and away you go! Features: - Ready to run: you don't have to change anything, just put snif into a directory and let it do its job. - Single file, does not clutter your directories - File and directory descriptions - Download files instead of opening them - Listing sortable by name, size or date - Display sub directories and handle direct requests to them gently - Built-in file icons - Optional: use external icons instead of built-in ones 2. Problem Description ---------------------- The script takes two query-strings "path" and "download" from the URL and concatenates them. It stores the result in the variable $filename which is the file to be downloaded. By default the value for the path variable is set to NULL and there is no error checking to see if the "download" querystring is outside the default directory. Thus an attacker could change the "download" querystring to any file on the file system while leaving the "path" NULL. This would allow him/her to download the file requested. <code> // this handles the download requests if ($_GET["download"]!="") { // This is were the path checking fails $filename = $path.$_GET["download"]; if ( !file_exists($filename) OR fileIsHidden($_GET["download"]) OR (substr(strtolower($_GET["download"]), -4)==".php" AND !$allowPHPDownloads)) { Header("HTTP/1.0 404 Not Found"); echo "<b>Error: File not found.</b><br><br>we suggest you <a href=\"".$_SERVER["HTTP_REFERER"]."\">go back</a>"; } else { Header("Content-Length: ".filesize($filename)); Header("Content-Type: application/x-download"); Header("Content-Disposition: attachment; filename=".$_GET["download"]); readfile($filename); } die(); } </code> An Example : http://www.yourserver.com/snif/index.php?download=/etc/passwd 3. Vulnerable Versions ---------------------- All versions before 1.2.5 are vulnerable 4. Solution ------------ Download version 1.2.5 from the vendors homepage. http://www.bitfolge.de/snif 5. Timeline ------------ 24 November 2003 - Bug Found 25 November 2003 - Vendor Contacted 26 November 2003 - Vendor Fixed Bug Regards Jay jay () j-security co uk _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Snif 1.2.4 file retrieval bug J (Nov 26)