SlideShowPro Director File Disclosure Vulnerability
11 Aug. 2009
Summary
SlideShowPro Director is vulnerable to a file disclosure flaw because it fails to perform proper validation and handling of input parameters. Attackers can exploit this vulnerability to read arbitrary files from the hosting web server. This issue exposes the confidentiality of any files residing on the same drive as the component including configuration files with system access credentials, the source code to application pages, and possibly customer data files.
Vulnerable Systems:
* SlideShowPro Director version 1.3.8 and prior
Immune Systems:
* SlideShowPro Director version 1.3.9
The p.php file contains logic that is vulnerable to directory traversal attacks. The a parameter to this function includes a file name parameter that can be changed to any value, including one containing relative directory paths. The resulting file will be retrieved and displayed.
The application incorporates scrambling/obfuscation techniques to mask the vulnerable parameter that is supplied to the application. A moderately skilled attacker can reverse the obfuscation without any access to the affected server or source code.
Vulnerable installations can be identified by the XML data file generated by SlideShowPro Director and used by the SlideShowPro component and will have base64-encoded a parameters to the p.php function:
The affected parameter is only accepted as a GET variable. The web server should therefore log any exploitation attempts if basic logging of the query string is enabled. Identifying actual exploitation is hindered, since the attacking parameter is scrambled, but the logic to reverse this data can be extracted the application code and settings if necessary. Web server error logs may also contain suspicious PHP file access warnings if a file requested by an attacker is not present.
