LMS Local File Disclosure
The Issue
A Local File Disclosure (LFD) vulnerability allows an attacker to disclose the contents of files on the target system, provided the victim user has read permissions to the specified file.
0dd identified that the LMS project contained a Local File Disclosure vulnerability, which could be triggered by an unauthenticated user, via a GET variable ($_GET['db']
)
Where the Issue Occurred
The code below displays that an attacker can control the path within the $filename
variable (found in /modules/dbview.php
):
$filename = ConfigHelper::getConfig('directories.backup_dir').'/lms-'.$_GET['db'].'.sql';
The $filename
variable is then passed to the readfile_chunked
function which performs a read function using fopen
and prints out the contents of the file:
$handle = fopen($filename, 'rb'); if ($handle === false) return false; while (!feof($handle)) { $buffer = fread($handle, $chunksize); echo $buffer; flush(); if ($retbytes) $cnt += strlen($buffer); }
As displayed above, .sql
is appended to the file name, however this can be bypassed (in some versions of PHP) using a null byte terminator (%00), allowing an attacker to gain access to files within the file system.
Disclosure Timeline
- Issue Reported: 30th May 2018
- Issue Resolved: 30th May 2018
- Blog Post Published: 1st June 2018
- Applied for CVE: 24th June 2018