Skip to content

Instantly share code, notes, and snippets.

@Hadi999
Last active April 6, 2023 11:35
Show Gist options
  • Save Hadi999/516aa25b953b0cba57089a0c11b1305b to your computer and use it in GitHub Desktop.
Save Hadi999/516aa25b953b0cba57089a0c11b1305b to your computer and use it in GitHub Desktop.
> [Suggested description]
> GDidees CMS v3.9.1 and lower was discovered to contain an arbitrary
> file download vulnerability via the filename parameter at
> /_admin/imgdownload.php.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Vendor of Product]
> GDidees
>
> ------------------------------------------
>
> [Affected Product Code Base]
> GDidees CMS - 3.9.1 and lower versions
>
> ------------------------------------------
>
> [Affected Component]
> The affected file is {webroot}/_admin/imgdownload.php and the vulnerable GET parameter is 'filename'.
> Even if the script is in the administrative directory there is no admin session control in the code with means any visitor can download files.
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> In order to successfully exploit this vulnerability an attacker need to make a GET request the following url.
>
> URL : [http://{gdidees_root}/_admin/imgdownload.php?filename=../../../../../etc/passwd]http://{gdidees_root}/_admin/imgdownload.php?filename=../../../../../etc/passwd ( /etc/passwd is the file we want to read)
> If the request has been using an Browser then the content of the file will be downloaded with an .png extension or directly printed if using cURL.
>
> ------------------------------------------
>
> [Reference]
> https://www.gdidees.eu/cms-1-0.html
> https://knowledge-base.secureflag.com/vulnerabilities/unrestricted_file_download/unrestricted_file_download_vulnerability.html
>
> ------------------------------------------
>
> [Discoverer]
> Hadi Mene
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment