[SECURITY] PHP Download Vulnerability

Discussion in 'PHP' started by Phyx, Oct 28, 2015.

  1. Phyx

    Phyx Member

    Oftentimes people wish to allow for file downloads on their website. One way this can be done oftentimes opens your website up to be exploited easily.

    Example:
    example.com/files/download.php?filepath=eBook.pdf --- when loaded, the script streams the PDF binary to your browser, the file is crafted on your machine.

    An insecure system would allow a directory traversal attack and for access to the source of files the individual should not be able to read.
    example.com/files/download.php?filepath=download.php

    The PHP source of download.php would be visible to the attacker, then the person could look at the index.php and browse through the dependencies/requires, like "/conf/db.php" and from there the attacker could attempt to sign on to PHPMYADMIN if it is installed, they could try the credentials on your FTP/CPANEL, it is possible that the person may escalate access by being able to access confidential files --- they could place a shell on the web server. Handling file exchanges securely is obviously very important as you can see. :cool:

    Feel free to check for insecure download scripts on Google, make your own Google dorks too there are many others to be made.

    Code:
    inurl:filepath download.php
     

Share This Page