Ticket #1429 (closed Security Exploit: fixed)
CakePHP Arbitrary File Access
Reported by: | gulftech | Owned by: | Any Developer |
---|---|---|---|
Priority: | Critical | Milestone: | 1.2.x.x |
Component: | Shells | Version: | 1.1 Stable |
Severity: | Major | Keywords: | |
Cc: |
Description
Hello,
I just downloaded the latest version of CakePHP and noticed a fairly serious security issue.
[code] if (is_file('../../vendors/javascript/' . $_GETfile?) && (preg_match('/(.+)\\.js/', $_GETfile?))) {
readfile('../../vendors/javascript/' . $_GETfile?);
} /code
The above code allows anyone to read any file on the server. I believe this only works if magic quotes gpc is off (which is the default php settings).
http://localhost/vendors.php?file=../../../../../etc/passwd%00blah.js
A URL like the one above would successfully display the contents of the passwd file.
Change History
Note: See
TracTickets for help on using
tickets.