Open R4ilgun opened 4 years ago
Thanks. There is such problem. I will correct.
I think this is the easiest solution in line 9: if($_GET['file']{0}=='.'||$_GET['file']{0}=='/') die('Wrong file!');
you can limit "./" with preg_replace('/..\//i','/',$fname);
2020-03-11 17:15 GMT+08:00, porese notifications@github.com:
I think this is the easiest solution in line 9: if($_GET['file']{0}=='.'||$_GET['file']{0}=='/') die('Wrong file!');
-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/porese/kandidat-cms/issues/3#issuecomment-597523664
if only filename then $fname = preg_replace('/.{0,}\//i','',$fname);
$fname = preg_replace('/.{0,}//i','',$fname); U r right,it works. But Payload : download.php?file=....\index.php can also download,u should limit "\" as well.
2020-03-12 22:19 GMT+08:00, porese notifications@github.com:
if only filename then $fname = preg_replace('/.{0,}\//i','',$fname);
-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/porese/kandidat-cms/issues/3#issuecomment-598212169
Download Anything Vulnerability Location:/download.php
There is a downloader that check with two steps in line 9 and 12: $_GET[‘file’]{0}==’.’ And preg_replace('/..\//i','',$fname) to limit users can just download in /media/file/ But we can bypass step 1 with:/ And bypass step 2 with:....// Because meida/file/xxx = media/file//xxx and ....// --> ../ Payload: /download.php?file=/....//....//index.php