Local File Download (LFD) ranjivost | Kako da popravim bug?

roodrd · svibanj 2014 16:11 13

Pozdrav, naisao sam na jedan bug na sajtu tacnije LFD i omogucio mi je pristup rootu.
Eh sada ja to zelim nekako da popravim no ne poznajem dobro PHP stoga vas molim da mi pomognete.

download.php

<?php
/*include("download.inc.php");


// path example
$myPath = "../../sindikat-docs";

// New Object
$objDownload = new EasyDownload();

// Set physical path
$objDownload->setPath($myPath);

// Set file name on the server (real full name)
$objDownload->setFileName($_GET["file"]);

// In case that it does not desire to effect download with original name.  
// It configures the alternative name
$objDownload->setFileNameDown(str_replace(" ", "_", $_GET["file"]));

// get file
$objDownload->Send();*/
echo 'Disabled';
?>

Mozete vidjeti comment tagove, to je privremeno dok ne sredim bug.

download.inc.php

<?php
/*
class EasyDownload
{
	var $ContentType;				
	var $ContentLength;
	var $ContentDisposition;
	var $ContentTransferEncoding;
	var $Path;
	var $FileName;
	var $FileNameDown;	
	
	function EasyDownload()
	{
		$this->ContentType 				= "application/octet-stream";
		$this->ContentLength			= "";	
		$this->ContentDisposition		= "";
		$this->ContentTransferEncoding	= "";
		$this->Path						= "";
		$this->FileName					= "";
		$this->FileNameDown		= "";		
	}
	
	function setContentType($strValue)
	{
		$this->ContentType = $strValue;
	}
	
	function _setContentLength()
	{
		$this->ContentLength = filesize($this->Path . "/" . $this->FileName);
	}
	
	function setContentDisposition($strValue)
	{
		$this->ContentDisposition = $strValue;
	}
	
	function setContentTransferEncoding($strValue)
	{
		$this->ContentTransferEncoding = $strValue;
	}
	

	function setPath($strValue)
	{
		$this->Path = $strValue;
	}
	
	function setFileName($strValue)
	{
		$this->FileName = $strValue;
	}		
	
	function setFileNameDown($strValue)
	{
		$this->FileNameDown = $strValue;
	}			
	
	function send()
	{
		$this->_setContentLength();
		header("Content-Type: " .  $this->ContentType); 	
		header("Content-Length: " .  $this->ContentLength);

		if ($this->FileNameDown == "")
			header("Content-Disposition: attachment; filename=" . $this->FileName); 
		else
			header("Content-Disposition: attachment; filename=" . $this->FileNameDown); 		
			
		header("Content-Transfer-Encoding: binary");
		$fp = fopen($this->Path . "/" . $this->FileName, "r"); 
		fpassthru($fp); 
		fclose($fp);		
	}		
}*/
echo 'Disabled';
?>

shimi · svibanj 2014 16:26 13

Problem ti je u ovome $objDownload->setFileName($_GET["file"]);
Sta ako bi neko recimo napisao ovako lupam http://domen.com/index.php?file=/etc/passwd …

roodrd · svibanj 2014 16:29 13

da i kako da popravim ?

shimi · svibanj 2014 17:48 13

Moras da stavis proveru, koliko sam pregledao ovu klasu nigde nisi stavio proveru da li je to stvarno fajl sa ekstenzijom nekom. Sastavi listu dopustenih ekstenzija, exploduj ime i proveri da li je ekstenzija u domenu dopustenih ako nije izbaci neku gresku itd…