Hadi999/CVE-2023-27179.txt

## CVE-2023-27179.txt
> [Suggested description]
> GDidees CMS v3.9.1 and lower was discovered to contain an arbitrary
> file download vulnerability via the filename parameter at
> /_admin/imgdownload.php.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Vendor of Product]
> GDidees
>
> ------------------------------------------
>
> [Affected Product Code Base]
> GDidees CMS - 3.9.1 and lower versions
>
> ------------------------------------------
>
> [Affected Component]
> The affected file is {webroot}/_admin/imgdownload.php and the vulnerable GET parameter is 'filename'.
> Even if the script is in the administrative directory there is no admin session control in the code with means any visitor can download files.
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> In order to successfully exploit this vulnerability an attacker need to make a GET request the following url.
>
> URL : [http://{gdidees_root}/_admin/imgdownload.php?filename=../../../../../etc/passwd]http://{gdidees_root}/_admin/imgdownload.php?filename=../../../../../etc/passwd ( /etc/passwd is the file we want to read)
> If the request has been using an Browser then the content of the file will be downloaded with an .png extension or directly printed if using cURL.
>
> ------------------------------------------
>
> [Reference]
> https://www.gdidees.eu/cms-1-0.html
> https://knowledge-base.secureflag.com/vulnerabilities/unrestricted_file_download/unrestricted_file_download_vulnerability.html
>
> ------------------------------------------
>
> [Discoverer]
> Hadi Mene
	> [Suggested description]
	> GDidees CMS v3.9.1 and lower was discovered to contain an arbitrary
	> file download vulnerability via the filename parameter at
	> /_admin/imgdownload.php.
	>
	> ------------------------------------------
	>
	> [Vulnerability Type]
	> Incorrect Access Control
	>
	> ------------------------------------------
	>
	> [Vendor of Product]
	> GDidees
	>
	> ------------------------------------------
	>
	> [Affected Product Code Base]
	> GDidees CMS - 3.9.1 and lower versions
	>
	> ------------------------------------------
	>
	> [Affected Component]
	> The affected file is {webroot}/_admin/imgdownload.php and the vulnerable GET parameter is 'filename'.
	> Even if the script is in the administrative directory there is no admin session control in the code with means any visitor can download files.
	>
	> ------------------------------------------
	>
	> [Attack Type]
	> Remote
	>
	> ------------------------------------------
	>
	> [Impact Information Disclosure]
	> true
	>
	> ------------------------------------------
	>
	> [Attack Vectors]
	> In order to successfully exploit this vulnerability an attacker need to make a GET request the following url.
	>
	> URL : [http://{gdidees_root}/_admin/imgdownload.php?filename=../../../../../etc/passwd]http://{gdidees_root}/_admin/imgdownload.php?filename=../../../../../etc/passwd ( /etc/passwd is the file we want to read)
	> If the request has been using an Browser then the content of the file will be downloaded with an .png extension or directly printed if using cURL.
	>
	> ------------------------------------------
	>
	> [Reference]
	> https://www.gdidees.eu/cms-1-0.html
	> https://knowledge-base.secureflag.com/vulnerabilities/unrestricted_file_download/unrestricted_file_download_vulnerability.html
	>
	> ------------------------------------------
	>
	> [Discoverer]
	> Hadi Mene