External Control of File Name or Path in hascheksolutions/opentrashmail
Jun 25th 2021
Attackers can control the filesystem path argument to
api.php line 35 for
?email= parameter, which allows them to access or modify otherwise protected files.
- application take unsensitized input at:
$email = strtolower($_REQUEST['email']);
- Assigning user input to filepath:
$filepath = ROOT.DS.'..'.DS.'data'.DS.$email.DS.'attachments'.DS.$id.'-'.$filename;
- Finally read file at:
🕵️♂️ Proof of Concept
1. Visit /api.php?action=attachment&email=\..\..\..\..\..\Windows\win.ini&id=valid_id&filename=valid_finalname where the GET variables were properly replaced, you can see arbitrary files on the serve.
The program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker. Arbitrary file read, leakage of information.