CakePHP Arbitrary File Access

[gulftech]

Hello,

I just downloaded the latest version of CakePHP and noticed a fairly serious security issue.

[code] if (is_file('../../vendors/javascript/' . $_GETfile?) && (preg_match('/(.+)\\.js/', $_GETfile?))) {

readfile('../../vendors/javascript/' . $_GETfile?);

} /code

The above code allows anyone to read any file on the server. I believe this only works if magic quotes gpc is off (which is the default php settings).

 http://localhost/vendors.php?file=../../../../../etc/passwd%00blah.js

A URL like the one above would successfully display the contents of the passwd file.

[gulftech]

BTW, the vulnerable code is in app/webroot/js/vendors.php

[phpnut]

Have you prodcued this exploit or is this an assumption? I have tested with both:

magic_quotes_gpc = On
magic_quotes_gpc = Off

And can not produce this exploit.

[phpnut]

Sorry after deeper testing this is a valid exploit and is fixed in [3506].

[shin]

Hi, this problem is still in cake/scipts/templates/skel/webroot/js/vendors.php

[dho]

Fixed in [3507]. Thanks for reopening the ticket.

[bascorp]

 оригинальные картинки

[Samuel.johnson]

Thanks phpnut for the info you had given. | Florida Villas