[UNIX] CoolForum Shows Content of Arbitrary Files

From: support@securiteam.com
Date: 10/17/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 17 Oct 2002 00:02:16 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  CoolForum Shows Content of Arbitrary Files
------------------------------------------------------------------------

SUMMARY

CoolForum's avatar.php has been found to contain a security vulnerability
that would allow remote attackers to access any file that resides outside
the bounding HTML root directory that is world readable.

DETAILS

Vulnerable systems:
 * CoolForum version 0.5

Immune systems:
 * CoolForum version 0.51

This forum contains a file named "avatar.php". This file can show an image
stored in the "logos" directory. Here is the source file of avatar.php:

<? header('Pragma: no-cache');
if (ereg(".jpg",$img))
   header("Content-Type: image/jpeg");
else if (ereg(".gif",$img))
   header("Content-Type: image/gif");
header('Expires: 0');

$fichier=3D"logos/$img";

$fp=3Dfopen($fichier,"r");
$image=3Dfread($fp,filesize($fichier));
fclose($fp);

echo($image);
?>

What this PHP actually do?
It's simple, it takes the name of the file as argument, reads it fully,
and then sends its content back to the browser. The security flaw is that
*any* file, in or *out* the logos directory can be show, bypassing *any*
protected directories...

Exploit:
The exploit is really easy. The aim is to read the "connect.php" file in
the "secret" directory. "connect.php" contains the information about the
database connection and "secret" directory is protected by a .htaccess
file. You can do the exploit with any browser by using this syntax:
http://>avatar.php?img=3D../secret/connect.php

Of course, replace <Forum_URL> by the vulnerable server. You will get a
blank page. If you edit the source of this web page, you'll get the file's
content.

Solution:
The vendor has been informed and has solved the problem. Download
CoolForum 0.5.1 or newer at :
 <http://www.coolforum.net/index.php?p=dlcoolforum>
http://www.coolforum.net/index.php?p=dlcoolforum

ADDITIONAL INFORMATION

The information has been provided by <mailto:webmaster@securiteinfo.com>
scrap.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages