QuiXplorer directory traversal

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: QuiXplorer directory traversal
From: Cyrille Barthelemy <cb-lse@xxxxxxxxxxx>
Date: Sat, 14 Aug 2004 12:03:30 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla Thunderbird 0.7 (X11/20040615)

Title:  QuiXplorer directory traversal
Affects:
        <= QuiXplorer 2.3
Effect: file disclosure, web server's user read access
Id: cbsa-0003
Release Date: 2004 08 14
Author: Cyrille Barthelemy <cb-publicbox@xxxxxxxxxxx>


-- 1. Introduction
------------------
From QuiXplorer documentation :

"QuiXplorer is a simple, but fully functional, file manager for websites.
QuiXplorer allows you to browse the files & directories on your webserver
(with PHP4). (without using an external FTP-client)"


-- 2. Problem
-------------

QuiXplorer does not apply filters on user inputs when a download isrequested.The directory parameter is well filtered to check that it does notcreate a requestthat goes outside the authorized directories, but the item can containsparent directory

references.

As quixplorer does not make the request ing the web server features, anyfile on the

server can be obtained (according to jail or chroot).


-- 3. Solution
--------------

Apply the given attached patch against the QuiXplorer 2.3 sources ordownload the

latest version (2.3.1) from the web site.


-- 4. References
----------------
  - QuiXplorer web site
        http://quixplorer.sourceforge.net/


-- 5. History
-------------
2004-08-12
        - Vulnerability discovered
2004-08-12
        - Vulnerability reported to quixproject at users.sourceforge.net
        - Vendor response, new version available
2004-08-14
        - Release

        
-- 6. Patch
-----------
------------8<-------------

--- quixplorer_2_3.orig/.include/fun_down.php 2003-04-2522:15:28.000000000 +0200

+++ quixplorer_2_3/.include/fun_down.php        2004-08-12 14:23:46.551569904 
+0200
@@ -39,6 +39,7 @@

------------------------------------------------------------------------------*/

//------------------------------------------------------------------------------
 function download_item($dir, $item) {          // download file
+       $item=basename($item);

if(($GLOBALS["permissions"]&01)!=01)show_error($GLOBALS["error_msg"]["accessfunc"]);if(!get_is_file($dir,$item)) show_error($item.":".$GLOBALS["error_msg"]["fileexist"]);if(!get_show_item($dir, $item)) show_error($item.":".$GLOBALS["error_msg"]["accessfile"]);


------------8<-------------


--
Cyrille Barthelemy
Epita SRS
http://www.cyrille-barthelemy.com
http://www.vnet-project.org

Prev by Date: SGI Advanced Linux Environment 3 Security Update #9
Next by Date: SpecificMAIL Technical Brief
Previous by thread: SGI Advanced Linux Environment 3 Security Update #9
Next by thread: SpecificMAIL Technical Brief
Index(es):
- Date
- Thread