Re: [ECHO_ADV_20$2005] Full path disclosure JAF CMS

["Steven M. Christey" <coley () mitre org>]

Two of these "full path disclosure" error messages suggest a much more
serious problem:

  http://localhost/jaf-cms/index.php?page=forum&category=general&id=3/*

  Warning: fopen(module/files/3/*): failed to open stream: No such
  file or directory in
  /var/www/html/jaf-cms/module/forum/inc/csvfile.php on line 197

The attacker's input - the "id" parameter - is eventually being used
in an fopen call.

Is the input being filtered or cleansed anywhere?  Is this really a
directory traversal problem?  Can the attacker open arbitrary files?

I don't have the tool installed, so I can't verify, but here are some
clues from the source code.

In forum.php in 3.0 Final:

  /* note: no previous mention of $id anywhere until the next line */

  if(isset($id))
  {                                 /* main data base access */
                        $base_comment_file = new csvfile;
                        $base_comment_file->name="module/files/".$id;


In csvfile.php, the cvsfile class is defined with the following
method:

        function open( $mode )
        // opens the data source
        {
                if ( ! $this->handle = fopen( $this->name, $mode ) )
                {
                        return false;
                }

So maybe at least CSV formatted files can be read; maybe arbitrary
files can be modified if any are opened in write mode?

Again, I don't have the tool involved, so I can't prove it for sure.

- Steve