Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Various TeamPass (http://teampass.net/) issues.

Arbitrary file data write (leading to RCE)

./sources/export.queries.php:471: $outstream = fopen($_POST['file'], "a"); (place php in item description) ./sources/admin.queries.php:1110: $fh = fopen($tmp_skfile, 'w'); (admin required)

SQLi

./sources/views.queries.php:437: ORDER BY ".$_POST['order']." ".$_POST['direction']." (admin required)

No Authz on file download:

./sources/downloadFile.php:47: $fp = fopen($_SESSION['settings']['path_to_upload_folder'].'/'.$result['file'], 'rb');

PHP Code execution (unfortunately function is not called):

./sources/kb.queries.php:62: $value = preg_replace('/%([0-9a-f]{2})/ie', 'chr(hexdec($1))', (string) $value);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment