[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Seo Panel 2.1.0 - Critical File Disclosure

To: "advisories@xxxxxxxxxxxx" <advisories@xxxxxxxxxxxx>
Subject: Re: Seo Panel 2.1.0 - Critical File Disclosure
From: Zach C <fxchip@xxxxxxxxx>
Date: Mon, 8 Nov 2010 10:50:08 -0800

This is really a non-fix, as some legitimate files might have the double-period 
as part of its name and might still be circumvented with exactly the same 
string you provided here minus one slash. 

The real solution would be to get the absolute path of the file provided and 
fail if that path isn't beneath the current directory/directory this should 
operate under. Something like:

$fnCheck = realpath($fileName);
If ($fnCheck === FALSE || strncasecmp(getcwd(), $fnCheck, strlen(getcwd())) 
return false;

(replacing getcwd() with whatever dir this should work with if not the current 
one)

-Zach

Sent from my iPhone

On Nov 8, 2010, at 7:00 AM, advisories@xxxxxxxxxxxx wrote:

> Seo Panel - Critical File Disclosure
> 
> 
> Versions Affected: 2.1.0 (previous versions were not checked.)
> 
> Info:
> A complete open source seo control panel for managing search engine 
> optimization of your websites.
> Seo Panel is a seo tool kit includes latest hot seo tools to increase and 
> track the performace of your websites.
> 
> External Links:
> http://www.seopanel.in/
> 
> Credits: MaXe (@InterN0T)
> 
> 
> -:: The Advisory ::-
> Seo Panel is prone to Critical File Disclosure due to download.php does not 
> sanitize user-
> input properly via the "file" GET-parameter.
> By using ....// instead of ../ to traverse through directories and by 
> appending a %00 byte
> in the end of the request it is possible to load virtually any file that the 
> webserver user has
> read access to. The PHP function which reads & returns the data from the file 
> is: readfile($var);
> 
> 
> Proof of Concept URL:
> http://example.tld/seopanel/download.php?filesec=sitemap&filetype=text&file=....//config/sp-config.php%00.txt
> 
> Note: This attack requires a valid user though it works regardless of any 
> privileges the user might have.
> (User registrations are enabled by default as well, making this attack 
> possible in most scenarios.)
> 
> 
> -:: Solution ::-
> download.ctrl.php: (Line 55-62)
> 55  function isValidFile($fileName) {
> 56      $fileName = urldecode($fileName);
>        // This tries to prevent directory traversal
> 57      $fileName = str_replace('../', '', $fileName);
> 58      if (preg_match('/\.xml$|\.html$|\.txt$/i', $fileName)) {
> 59          return $fileName;
> 60      }      
> 61      return false;
> 62  }
> 
> Suggested patch: (Line 55-62)
> 55  function isValidFile($fileName) {
> 56      $fileName = urldecode($fileName);
>        // This isn't as easy to bypass anymore
> 57      $fileName = str_replace('..', '', $fileName); // This is changed.
> 58      if (preg_match('/\.xml$|\.html$|\.txt$/i', $fileName)) {
> 59          return $fileName;
> 60      }      
> 61      return false;
> 62  }
> 
> 
> Disclosure Information:
> - Vulnerabilities found and researched: 31st October 2010
> - Full Disclosure 8th November 2010
> 
> References:
> http://www.exploit-db.com/finding-0days-in-web-applications/
> http://www.youtube.com/watch?v=ni3inoHkOPc
> http://forum.intern0t.net/intern0t-advisories/3329-search-engine-optimization-panel-2-1-0-critical-file-disclosure.html

References:
- Seo Panel 2.1.0 - Critical File Disclosure
  - From: advisories

Prev by Date: [ MDVSA-2010:155-1 ] mysql
Next by Date: DIMVA 2011 Call for Workshops Proposals
Previous by thread: Seo Panel 2.1.0 - Critical File Disclosure
Next by thread: Malware Collections and Feed Exchange
Index(es):
- Date
- Thread