[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Seo Panel 2.1.0 - Critical File Disclosure

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Seo Panel 2.1.0 - Critical File Disclosure
From: advisories@xxxxxxxxxxxx
Date: Mon, 8 Nov 2010 08:00:06 -0700

Seo Panel - Critical File Disclosure

 
Versions Affected: 2.1.0 (previous versions were not checked.)
 
Info:
A complete open source seo control panel for managing search engine 
optimization of your websites.
Seo Panel is a seo tool kit includes latest hot seo tools to increase and track 
the performace of your websites.
 
External Links:
http://www.seopanel.in/
 
Credits: MaXe (@InterN0T)
 
 
-:: The Advisory ::-
Seo Panel is prone to Critical File Disclosure due to download.php does not 
sanitize user-
input properly via the "file" GET-parameter.
By using ....// instead of ../ to traverse through directories and by appending 
a %00 byte
in the end of the request it is possible to load virtually any file that the 
webserver user has
read access to. The PHP function which reads & returns the data from the file 
is: readfile($var);
 
 
Proof of Concept URL:
http://example.tld/seopanel/download.php?filesec=sitemap&filetype=text&file=....//config/sp-config.php%00.txt
 
Note: This attack requires a valid user though it works regardless of any 
privileges the user might have.
(User registrations are enabled by default as well, making this attack possible 
in most scenarios.)
 
 
-:: Solution ::-
download.ctrl.php: (Line 55-62)
55  function isValidFile($fileName) {
56      $fileName = urldecode($fileName);
        // This tries to prevent directory traversal
57      $fileName = str_replace('../', '', $fileName);
58      if (preg_match('/\.xml$|\.html$|\.txt$/i', $fileName)) {
59          return $fileName;
60      }      
61      return false;
62  }
     
Suggested patch: (Line 55-62)
55  function isValidFile($fileName) {
56      $fileName = urldecode($fileName);
        // This isn't as easy to bypass anymore
57      $fileName = str_replace('..', '', $fileName); // This is changed.
58      if (preg_match('/\.xml$|\.html$|\.txt$/i', $fileName)) {
59          return $fileName;
60      }      
61      return false;
62  }
 
 
Disclosure Information:
- Vulnerabilities found and researched: 31st October 2010
- Full Disclosure 8th November 2010

References:
http://www.exploit-db.com/finding-0days-in-web-applications/
http://www.youtube.com/watch?v=ni3inoHkOPc
http://forum.intern0t.net/intern0t-advisories/3329-search-engine-optimization-panel-2-1-0-critical-file-disclosure.html

Follow-Ups:
- Re: Seo Panel 2.1.0 - Critical File Disclosure
  - From: Zach C

Prev by Date: Spree e-commerce JSON Hijacking Vulnerabilities - CVE-2010-3978
Next by Date: Malware Collections and Feed Exchange
Previous by thread: Spree e-commerce JSON Hijacking Vulnerabilities - CVE-2010-3978
Next by thread: Re: Seo Panel 2.1.0 - Critical File Disclosure
Index(es):
- Date
- Thread