Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Seo Panel 2.1.0 - Critical File Disclosure
From: Zach C <fxchip () gmail com>
Date: Mon, 8 Nov 2010 10:50:08 -0800

This is really a non-fix, as some legitimate files might have the double-period as part of its name and might still be 
circumvented with exactly the same string you provided here minus one slash. 

The real solution would be to get the absolute path of the file provided and fail if that path isn't beneath the 
current directory/directory this should operate under. Something like:

$fnCheck = realpath($fileName);
If ($fnCheck === FALSE || strncasecmp(getcwd(), $fnCheck, strlen(getcwd())) return false;

(replacing getcwd() with whatever dir this should work with if not the current one)

-Zach

Sent from my iPhone

On Nov 8, 2010, at 7:00 AM, advisories () intern0t net wrote:

Seo Panel - Critical File Disclosure


Versions Affected: 2.1.0 (previous versions were not checked.)

Info:
A complete open source seo control panel for managing search engine optimization of your websites.
Seo Panel is a seo tool kit includes latest hot seo tools to increase and track the performace of your websites.

External Links:
http://www.seopanel.in/

Credits: MaXe (@InterN0T)


-:: The Advisory ::-
Seo Panel is prone to Critical File Disclosure due to download.php does not sanitize user-
input properly via the "file" GET-parameter.
By using ....// instead of ../ to traverse through directories and by appending a %00 byte
in the end of the request it is possible to load virtually any file that the webserver user has
read access to. The PHP function which reads & returns the data from the file is: readfile($var);


Proof of Concept URL:
http://example.tld/seopanel/download.php?filesec=sitemap&filetype=text&file=....//config/sp-config.php%00.txt

Note: This attack requires a valid user though it works regardless of any privileges the user might have.
(User registrations are enabled by default as well, making this attack possible in most scenarios.)


-:: Solution ::-
download.ctrl.php: (Line 55-62)
55  function isValidFile($fileName) {
56      $fileName = urldecode($fileName);
       // This tries to prevent directory traversal
57      $fileName = str_replace('../', '', $fileName);
58      if (preg_match('/\.xml$|\.html$|\.txt$/i', $fileName)) {
59          return $fileName;
60      }      
61      return false;
62  }

Suggested patch: (Line 55-62)
55  function isValidFile($fileName) {
56      $fileName = urldecode($fileName);
       // This isn't as easy to bypass anymore
57      $fileName = str_replace('..', '', $fileName); // This is changed.
58      if (preg_match('/\.xml$|\.html$|\.txt$/i', $fileName)) {
59          return $fileName;
60      }      
61      return false;
62  }


Disclosure Information:
- Vulnerabilities found and researched: 31st October 2010
- Full Disclosure 8th November 2010

References:
http://www.exploit-db.com/finding-0days-in-web-applications/
http://www.youtube.com/watch?v=ni3inoHkOPc
http://forum.intern0t.net/intern0t-advisories/3329-search-engine-optimization-panel-2-1-0-critical-file-disclosure.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]