Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25097
HistoryNov 09, 2010 - 12:00 a.m.

Seo Panel 2.1.0 - Critical File Disclosure

2010-11-0900:00:00
vulners.com
46

Seo Panel - Critical File Disclosure

Versions Affected: 2.1.0 (previous versions were not checked.)

Info:
A complete open source seo control panel for managing search engine optimization of your websites.
Seo Panel is a seo tool kit includes latest hot seo tools to increase and track the performace of your websites.

External Links:
http://www.seopanel.in/

Credits: MaXe (@InterN0T)

-:: The Advisory ::-
Seo Panel is prone to Critical File Disclosure due to download.php does not sanitize user-
input properly via the "file" GET-parameter.
By using …// instead of …/ to traverse through directories and by appending a %00 byte
in the end of the request it is possible to load virtually any file that the webserver user has
read access to. The PHP function which reads & returns the data from the file is: readfile($var);

Proof of Concept URL:
http://example.tld/seopanel/download.php?filesec=sitemap&filetype=text&file=....//config/sp-config.php%00.txt

Note: This attack requires a valid user though it works regardless of any privileges the user might have.
(User registrations are enabled by default as well, making this attack possible in most scenarios.)

-:: Solution ::-
download.ctrl.php: (Line 55-62)
55 function isValidFile($fileName) {
56 $fileName = urldecode($fileName);
// This tries to prevent directory traversal
57 $fileName = str_replace('…/', '', $fileName);
58 if (preg_match('/\.xml$|\.html$|\.txt$/i', $fileName)) {
59 return $fileName;
60 }
61 return false;
62 }

Suggested patch: (Line 55-62)
55 function isValidFile($fileName) {
56 $fileName = urldecode($fileName);
// This isn't as easy to bypass anymore
57 $fileName = str_replace('…', '', $fileName); // This is changed.
58 if (preg_match('/\.xml$|\.html$|\.txt$/i', $fileName)) {
59 return $fileName;
60 }
61 return false;
62 }

Disclosure Information:

  • Vulnerabilities found and researched: 31st October 2010
  • Full Disclosure 8th November 2010

References:
http://www.exploit-db.com/finding-0days-in-web-applications/
http://www.youtube.com/watch?v=ni3inoHkOPc
http://forum.intern0t.net/intern0t-advisories/3329-search-engine-optimization-panel-2-1-0-critical-file-disclosure.html