4images 1.7.11: Path Traversal

4images 1.7.11: Path Traversal

Date: 2015-12-02 16:25:06
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: 4images 1.7.11
Fixed in: 1.7.12
Fixed Version Link: http://www.4homepages.de/download-4images
Vendor Website: http://www.4homepages.de/
Vulnerability Type: Path Traversal
Remote Exploitable: Yes
Reported to vendor: 09/29/2015
Disclosed to public: 12/02/2015
Release mode: Coordinated release
CVE: Requested, but not assigned
Credits Tim Coen of Curesec GmbH

2. Vulnerability Description


Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N


When downloading or displaying a backup file, the file Parameter is vulnerable to directory traversal. This is the case because the get_basefile function contains a bug. When the passed path name ends with a slash, it will return the entire path instead of the file name.

By adding ?/ to the file name, an attacker can thus download or display arbitrary files.

Admin credentials are required to view or download backup files.

3. Proof of Concept

GET /4images/admin/backup.php?action=downloadbackup&file=../../../../../../etc/passwd?/ HTTP/1.1 GET /4images/admin/backup.php?action=showbackup&file=../../../../../../etc/passwd?/ HTTP/1.1

4. Code

/admin/bachup.php if (isset($HTTP_GET_VARS['file']) || isset($HTTP_POST_VARS['file'])) { $file = (isset($HTTP_GET_VARS['file'])) ? get_basefile(trim($HTTP_GET_VARS['file'])) : get_basefile(trim($HTTP_POST_VARS['file'])); } else { $file = ""; } if ($action == "downloadbackup") { $size = @filesize(ROOT_PATH.DATABASE_DIR."/".$file); header("Content-type: application/x-unknown"); header("Content-length: $size\n"); header("Content-Disposition: attachment; filename=$file\n"); readfile(ROOT_PATH.DATABASE_DIR."/".$file); exit; } /includes/functions.php function get_basename($path) { $path = str_replace("\\", "/", $path); $name = substr(strrchr($path, "/"), 1); return $name ? $name : $path; } function get_basefile($path) { $basename = get_basename($path); preg_match("#(.+)\?(.+)#", $basename, $regs); return isset($regs[1]) ? $regs[1] : $basename; }

5. Solution

To mitigate this issue please upgrade at least to version 1.7.12:


Please note that a newer version might already be available.

6. Report Timeline

09/29/2015 Informed Vendor about Issue
10/21/2015 Reminded Vendor of Disclosure Date
11/03/2015 Vendor releases fix
11/17/2015 CVE Requested (no reply)
12/02/2015 Disclosed to public