In-Reply-To: <20040820225036.17877.qmail@xxxxxxxxxxxxxxxxxxxxx> >B. Unspecified File Download Vulnerability > >B1. An error in the MyDMS software allows to a >registered users (and only to >registered users) to download any file, such >as /etc/passwd, by inserting in a >parameter a text such as ../../../../../etc/passwd. >Contact: The author has released a new version (1.4.3) that solves the problem avoid arbitrary file download. Problem Description : ~~~~~~~~~~~~~~~~~ When do you want to download any file stored in MyDMS internally calls to a PHP script (called op.ViewOnline.php). The Parameter 'request' of this script is a field with 3 parts, separated by the ':' char. The first part is the DocumentID (DocumentID in database). The second part is the Document Version. The thirst part is the document name. I don't know why the author uses the thirst part (the document name), because he has the DocumentID to retrieve it (or it's name) from the MySQL Database server. The problem is the following : If you change the document name with, in example, ../../../../../etc/passwd, you will download the file /etc/passwd from the Web Server. To try the vulnerability follow these steps : 1.- Login in to MyDMS 2.- Enter the following URL in your browser : http://<site-with-mydms>/mydms/op/op.ViewOnline.php?request=4:6:/../../../../../../../../../../../../etc/passwd Where '4' is the document id and '6' is the document version. You need to known a valid document id and a valid document version as well as you need an account in the MyDMS system, but an user with this data may download any file that he/she wants. Bye
