From academic research to LFD critical vulnerability
Intro:
Three years ago, while conducting my academic research. I come accross a website to download an interresting pdf course.
I downloaded the pdf, and as always, the nerd come back to mind whenever had the chance, even if it’s not the subject of my research. So, I tried to test the website for what it seems to me a vulnerability. And guess what? it’s a critical one.
The website was affected by LFD (Local File Download). Instead of downloading the pdf course, a simple level back ../ can traverse directory back to its parent, to download any local file on that website.
I just need to specify the correct webroot. It’s a piece of cake as, we had only to read the
index.php to reveal the correct webroot path and other interesting information includes the database credentials…! It was easy to read the full database and get all the source source, this can be automated to grab the full source code.
Let us inspect the vulnerable part of the file: I targeted the vulnerable code to analyze, and I got 3 php lines of code described below:
<?php
header(“Content-type: application/pdf”);
header(“Content-Disposition: attachment; filename=upload/$_GET[pdf]”);
readfile($_GET[‘pdf’]);
?>
Code review:
header()is used to send a raw HTTP header.- The first line specifies the delivered content type
Content-type:application/pdf. - The second line, forces the file to be treated as attachement, and thus downloaded, not rendered. The filename attribute is the recommended name when saving the file.
- The vulnerable part was actually the last line, a clear
readfile()function that takes the value of the pdf argument without any sanitization.
Exploitation:
Simple call to : site.tld/endpoint.php?pdf=../../../etc/passwd will download all server users ! in a normal webroot /home/user/[public_html]/.
Sum up
The two lines are sent to the server as headers and the third one feeds the readfile function with the pdf parameter value.
With these three lines, I was able to get through many websites source code, using the vulnerable endpoint and with just a simple google dorking, I was amazed how many websites used that vulnerable endpoint, guess the same developer.
Even big companies were vulnerable, Till now while rewriting this!. I contacted the developer and was managed to remediate the issue !