0dd - The Zero (0) Day Division

The Zero (0) Day Division is a group of security professionals working towards a common goal; securing open-source projects.

LMS Local File Disclosure

· Sajeeb Lohani · CVE-2018-1000535

The Issue

A Local File Disclosure (LFD) vulnerability allows an attacker to disclose the contents of files on the target system, provided the victim user has read permissions to the specified file.

0dd identified that the LMS project contained a Local File Disclosure vulnerability, which could be triggered by an unauthenticated user, via a GET variable ($_GET['db'])

Where the Issue Occurred

The code below displays that an attacker can control the path within the $filename variable (found in /modules/dbview.php):

$filename = ConfigHelper::getConfig('directories.backup_dir').'/lms-'.$_GET['db'].'.sql';

The $filename variable is then passed to the readfile_chunked function which performs a read function using fopen and prints out the contents of the file:

$handle = fopen($filename, 'rb');
if ($handle === false)
    return false;
while (!feof($handle))
{
    $buffer = fread($handle, $chunksize);
    echo $buffer;
    flush();
    if ($retbytes)
        $cnt += strlen($buffer);
}

As displayed above, .sql is appended to the file name, however this can be bypassed (in some versions of PHP) using a null byte terminator (%00), allowing an attacker to gain access to files within the file system.

Disclosure Timeline

  • Issue Reported: 30th May 2018
  • Issue Resolved: 30th May 2018
  • Blog Post Published: 1st June 2018
  • Applied for CVE: 24th June 2018