snif Input Validation Flaw Discloses Files to Remote Users
|
|
SecurityTracker Alert ID: 1008318
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 27 2003
|
Impact: Disclosure of system information, Disclosure of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 1.2.5
|
Description: A vulnerability was reported in the 'simple and nice index file' (snif) application. A remote user can view files on the server.
It is reported that a remote user can specify an absolute path name and file name for the 'download' query string to view arbitrary
files on the target system with the privileges of the web service.
A demonstration exploit URL is provided:
http://[target]/snif/index.php?download=/etc/passwd
|
Impact: A remote user can view arbitrary files on the target system with the privileges of the target server's web daemon.
|
Solution: The vendor has issued a fixed version (1.2.5), available at:
http://www.bitfolge.de/download/snif_125.zip
|
Vendor URL: www.bitfolge.de/index.php?l=en&s=snif (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: J <jay@j-security.co.uk>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 26 Nov 2003 23:01:51 +0000
From: J <jay@j-security.co.uk>
Subject: [Full-Disclosure] Snif 1.2.4 file retrieval bug
|
Vendor: http://www.bitfolge.de
Bug Found: November 24 2003
Date Reported: November 25, 2003
Severity: High
Systems Affected: Any running PHP
1. About Snif
-------------
>From website :
Snif is a simple and nice index file.
Server generated directory indexes are ugly. OK, they work
everywhere, but they are still ugly. If you'd like your download
directory to be maintainable without creating and changing huge
HTML files, just put snif as its index file into the directory and
away you go!
Features:
- Ready to run: you don't have to change anything, just put snif
into a directory and let it do its job.
- Single file, does not clutter your directories
- File and directory descriptions
- Download files instead of opening them
- Listing sortable by name, size or date
- Display sub directories and handle direct requests to them gently
- Built-in file icons
- Optional: use external icons instead of built-in ones
2. Problem Description
----------------------
The script takes two query-strings "path" and "download" from the URL and
concatenates them. It stores the result in the variable $filename
which is the file to be downloaded.
By default the value for the path variable is set to NULL and there is no
error checking to see if the "download" querystring is outside the default
directory. Thus an attacker could change the "download" querystring to any
file on the file system while leaving the "path" NULL. This would allow
him/her to download the file requested.
<code>
// this handles the download requests
if ($_GET["download"]!="") {
// This is were the path checking fails
$filename = $path.$_GET["download"];
if (
!file_exists($filename)
OR fileIsHidden($_GET["download"])
OR (substr(strtolower($_GET["download"]), -4)==".php" AND !$allowPHPDownloads))
{
Header("HTTP/1.0 404 Not Found");
echo "<b>Error: File not found.</b><br><br>we suggest you
<a href=\"".$_SERVER["HTTP_REFERER"]."\">go back</a>"
;
} else {
Header("Content-Length: ".filesize($filename));
Header("Content-Type: application/x-download");
Header("Content-Disposition: attachment; filename=".$_GET["download"]);
readfile($filename);
}
die();
</code>
An Example :
http://www.yourserver.com/snif/index.php?download=/etc/passwd
3. Vulnerable Versions
----------------------
All versions before 1.2.5 are vulnerable
4. Solution
------------
Download version 1.2.5 from the vendors homepage.
http://www.bitfolge.de/snif
5. Timeline
------------
24 November 2003 - Bug Found
25 November 2003 - Vendor Contacted
26 November 2003 - Vendor Fixed Bug
Regards
Jay
jay@j-security.co.uk
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
