#######################################################################################
Target:
HTTP Upload Tool For PHP 1.0
Vulnerability:
Information disclosure
Description:
The download.php file in Upload Tool for PHP neither verifies that a
requestor has authenticated, nor performs any sanity checking on the file
being requested. This allows an unauthenticated user to download any file
which the web server has read rights to, including the users.conf file which
contains a list of Upload Tool's users and their hashed passwords.
Vulnerable Code (truncated):
$filename = $_GET['filename'];
readfile("$filename");
Exploit:
Discovered:
Craig Heffner
#######################################################################################