Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Snif 1.2.4 file retrieval bug

From: J <jay () j-security co uk>
Date: Wed, 26 Nov 2003 23:01:51 +0000


Vendor:                 http://www.bitfolge.de
Bug Found:              November 24 2003
Date Reported:          November 25, 2003
Severity:               High
Systems Affected:       Any running PHP


1. About Snif
-------------


From website :


Snif is a simple and nice index file.

Server generated directory indexes are ugly. OK, they work 
everywhere, but they are still ugly. If you'd like your download 
directory to be maintainable without creating and changing huge 
HTML files, just put snif as its index file into the directory and 
away you go!

Features:        
        
        - Ready to run: you don't have to change anything, just put snif 
        into a directory and let it do its job.
        - Single file, does not clutter your directories
        - File and directory descriptions
        - Download files instead of opening them        
        - Listing sortable by name, size or date
        - Display sub directories and handle direct requests to them gently
        - Built-in file icons
        - Optional: use external icons instead of built-in ones


2. Problem Description
----------------------

The script takes two query-strings "path" and "download" from the URL and 
concatenates them. It stores the result in the variable $filename 
which is the file to be downloaded. 
By default the value for the path variable is set to NULL and there is no 
error checking to see if the "download" querystring is outside the default 
directory. Thus an attacker could change the "download" querystring to any 
file on the file system while leaving the "path" NULL. This would allow 
him/her to download the file requested.


<code>
// this handles the download requests
if ($_GET["download"]!="") {
        // This is were the path checking fails
        $filename = $path.$_GET["download"];
        if (
                !file_exists($filename)
                OR fileIsHidden($_GET["download"])
                OR (substr(strtolower($_GET["download"]), -4)==".php" AND !$allowPHPDownloads)) {
                
                Header("HTTP/1.0 404 Not Found");
                echo "<b>Error: File not found.</b><br><br>we suggest you 
                <a href=\"".$_SERVER["HTTP_REFERER"]."\">go back</a>";
        } else {
                Header("Content-Length: ".filesize($filename));
                Header("Content-Type: application/x-download");
                Header("Content-Disposition: attachment; filename=".$_GET["download"]);
                readfile($filename);
        }
        die();
}
</code>

An Example : 
        http://www.yourserver.com/snif/index.php?download=/etc/passwd


3. Vulnerable Versions
----------------------

All versions before 1.2.5 are vulnerable


4. Solution
------------

Download version 1.2.5 from the vendors homepage. 
http://www.bitfolge.de/snif



5. Timeline
------------

24 November 2003 - Bug Found
25 November 2003 - Vendor Contacted
26 November 2003 - Vendor Fixed Bug



Regards
Jay

jay () j-security co uk

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: