Last active
April 6, 2023 11:35
-
-
Save Hadi999/516aa25b953b0cba57089a0c11b1305b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
> [Suggested description] | |
> GDidees CMS v3.9.1 and lower was discovered to contain an arbitrary | |
> file download vulnerability via the filename parameter at | |
> /_admin/imgdownload.php. | |
> | |
> ------------------------------------------ | |
> | |
> [Vulnerability Type] | |
> Incorrect Access Control | |
> | |
> ------------------------------------------ | |
> | |
> [Vendor of Product] | |
> GDidees | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Product Code Base] | |
> GDidees CMS - 3.9.1 and lower versions | |
> | |
> ------------------------------------------ | |
> | |
> [Affected Component] | |
> The affected file is {webroot}/_admin/imgdownload.php and the vulnerable GET parameter is 'filename'. | |
> Even if the script is in the administrative directory there is no admin session control in the code with means any visitor can download files. | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Type] | |
> Remote | |
> | |
> ------------------------------------------ | |
> | |
> [Impact Information Disclosure] | |
> true | |
> | |
> ------------------------------------------ | |
> | |
> [Attack Vectors] | |
> In order to successfully exploit this vulnerability an attacker need to make a GET request the following url. | |
> | |
> URL : [http://{gdidees_root}/_admin/imgdownload.php?filename=../../../../../etc/passwd]http://{gdidees_root}/_admin/imgdownload.php?filename=../../../../../etc/passwd ( /etc/passwd is the file we want to read) | |
> If the request has been using an Browser then the content of the file will be downloaded with an .png extension or directly printed if using cURL. | |
> | |
> ------------------------------------------ | |
> | |
> [Reference] | |
> https://www.gdidees.eu/cms-1-0.html | |
> https://knowledge-base.secureflag.com/vulnerabilities/unrestricted_file_download/unrestricted_file_download_vulnerability.html | |
> | |
> ------------------------------------------ | |
> | |
> [Discoverer] | |
> Hadi Mene | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment