← Advisories

PRADO PHP Framework 3.2.0 Arbitrary File Read Vulnerability

Medium
Advisory ID
ZSL-2012-5113
Release Date
26 November 2012
Vendor
Prado Software - http://www.pradosoft.com
Affected Version
3.2.0 (r3169)
CVE
N/A
Tested On
Microsoft Windows 7 Ultimate SP1 (EN), Apache 2.4.2 (Win32), PHP 5.4.4, MySQL 5.5.25a
Summary

PRADO is a component-based and event-driven programming framework for developing Web applications in PHP 5. PRADO stands for PHP Rapid Application Development Object-oriented.

Description

Input passed to the 'sr' parameter in 'functional_tests.php' is not properly sanitised before being used to get the contents of a resource. This can be exploited to read arbitrary data from local resources with directory traversal attack.

/tests/test_tools/functional_tests.php: --------------------------------------- 3: $TEST_TOOLS = dirname(__FILE__); 4: 5: if(isset($_GET['sr'])) 6: { 7: 8: if(($selenium_resource=realpath($TEST_TOOLS.'/selenium/'.$_GET['sr']))!==false) 9: echo file_get_contents($selenium_resource); 10: exit; 11: }
Proof of Concept
prado_fileread.txtTXT
Disclosure Timeline
N/A
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://cxsecurity.com/issue/WLB-2012110184
[2]http://www.exploit-db.com/exploits/22937/
[3]http://packetstormsecurity.org/files/118348
[4]http://www.securityfocus.com/bid/56677
[5]http://xforce.iss.net/xforce/xfdb/80266
[6]http://www.osvdb.org/show/osvdb/87873
[7]http://www.osvdb.org/show/osvdb/87874
Changelog
26.11.2012Initial release
28.11.2012Added reference [5], [6] and [7]