Re: Seo Panel 2.1.0 - Critical File Disclosure

[Zach C <fxchip () gmail com>]

This is really a non-fix, as some legitimate files might have the double-period as part of its name and might still be 
circumvented with exactly the same string you provided here minus one slash. 

The real solution would be to get the absolute path of the file provided and fail if that path isn't beneath the 
current directory/directory this should operate under. Something like:

$fnCheck = realpath($fileName);
If ($fnCheck === FALSE || strncasecmp(getcwd(), $fnCheck, strlen(getcwd())) return false;

(replacing getcwd() with whatever dir this should work with if not the current one)

-Zach

Sent from my iPhone

On Nov 8, 2010, at 7:00 AM, advisories () intern0t net wrote:

> Seo Panel - Critical File Disclosure
>
>
> Versions Affected: 2.1.0 (previous versions were not checked.)
>
> Info:
> A complete open source seo control panel for managing search engine optimization of your websites.
> Seo Panel is a seo tool kit includes latest hot seo tools to increase and track the performace of your websites.
>
> External Links:
> http://www.seopanel.in/
>
> Credits: MaXe (@InterN0T)
>
>
> -:: The Advisory ::-
> Seo Panel is prone to Critical File Disclosure due to download.php does not sanitize user-
> input properly via the "file" GET-parameter.
> By using ....// instead of ../ to traverse through directories and by appending a %00 byte
> in the end of the request it is possible to load virtually any file that the webserver user has
> read access to. The PHP function which reads & returns the data from the file is: readfile($var);
>
>
> Proof of Concept URL:
> http://example.tld/seopanel/download.php?filesec=sitemap&filetype=text&file=....//config/sp-config.php%00.txt
>
> Note: This attack requires a valid user though it works regardless of any privileges the user might have.
> (User registrations are enabled by default as well, making this attack possible in most scenarios.)
>
>
> -:: Solution ::-
> download.ctrl.php: (Line 55-62)
> 55  function isValidFile($fileName) {
> 56      $fileName = urldecode($fileName);
>        // This tries to prevent directory traversal
> 57      $fileName = str_replace('../', '', $fileName);
> 58      if (preg_match('/\.xml$|\.html$|\.txt$/i', $fileName)) {
> 59          return $fileName;
> 60      }      
> 61      return false;
> 62  }
>
> Suggested patch: (Line 55-62)
> 55  function isValidFile($fileName) {
> 56      $fileName = urldecode($fileName);
>        // This isn't as easy to bypass anymore
> 57      $fileName = str_replace('..', '', $fileName); // This is changed.
> 58      if (preg_match('/\.xml$|\.html$|\.txt$/i', $fileName)) {
> 59          return $fileName;
> 60      }      
> 61      return false;
> 62  }
>
>
> Disclosure Information:
> - Vulnerabilities found and researched: 31st October 2010
> - Full Disclosure 8th November 2010
>
> References:
> http://www.exploit-db.com/finding-0days-in-web-applications/
> http://www.youtube.com/watch?v=ni3inoHkOPc
> http://forum.intern0t.net/intern0t-advisories/3329-search-engine-optimization-panel-2-1-0-critical-file-disclosure.html