search

meltingice / CamanJS

Javascript HTML5 (Ca)nvas (Man)ipulation
http://camanjs.com
BSD 3-Clause "New" or "Revised" License
3.55k stars 404 forks source link

CamanJS-master/proxies/caman_proxy.php open proxy #176

Closed lcashdol closed 8 years ago

lcashdol commented 9 years ago

Hello All, caman_proxy.php acts as an unauthenticated open proxy, it can also be used to read local files on a system as long as they end with an image extension like .jpg,.png,.gif,.jpeg

Open Proxy: http://www.vapidlabs.com/wp-content/plugins/grand-media/assets/image-editor/camanjs/proxies/caman_proxy.php?camanProxyUrl=http://192.168.0.2/banner3.jpeg

Local Image Files: http://www.vapidlabs.com/wp-content/plugins/grand-media/assets/image-editor/camanjs/proxies/caman_proxy.php?camanProxyUrl=/tmp/loader.gif I've also filed a vulnerability report with the authors of the grand media wordpress plugin.

If a user changes the default behavior of requiring a specific extension on line 4 to true define('ALLOW_NO_EXT', false); Then caman_proxy.php can be used to read sensitive system files on a local system.

EdTheC commented 8 years ago

The link is bad....

lcashdol commented 8 years ago

Ah sorry those were just example proof of concept exploits, this is a better write up: http://www.vapidlabs.com/advisory.php?v=122

lcashdol commented 8 years ago

Closing.