PRADO PHP Framework 3.2.0 Arbitrary File Read Vulnerability

Title: PRADO PHP Framework 3.2.0 Arbitrary File Read Vulnerability
Advisory ID: ZSL-2012-5113
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 26.11.2012
Summary
PRADO is a component-based and event-driven programming framework for developing Web applications in PHP 5. PRADO stands for PHP Rapid Application Development Object-oriented.
Description
Input passed to the 'sr' parameter in 'functional_tests.php' is not properly sanitised before being used to get the contents of a resource. This can be exploited to read arbitrary data from local resources with directory traversal attack.

--------------------------------------------------------------------------------

/tests/test_tools/functional_tests.php:
---------------------------------------

3: $TEST_TOOLS = dirname(__FILE__);
4:
5: if(isset($_GET['sr']))
6: {
7:
8: if(($selenium_resource=realpath($TEST_TOOLS.'/selenium/'.$_GET['sr']))!==false)
9: echo file_get_contents($selenium_resource);
10: exit;
11: }

--------------------------------------------------------------------------------

Vendor
Prado Software - http://www.pradosoft.com
Affected Version
3.2.0 (r3169)
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2 (Win32)
PHP 5.4.4
MySQL 5.5.25a
Vendor Status
N/A
PoC
prado_fileread.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://cxsecurity.com/issue/WLB-2012110184
[2] http://www.exploit-db.com/exploits/22937/
[3] http://packetstormsecurity.org/files/118348
[4] http://www.securityfocus.com/bid/56677
[5] http://xforce.iss.net/xforce/xfdb/80266
[6] http://www.osvdb.org/show/osvdb/87873
[7] http://www.osvdb.org/show/osvdb/87874
Changelog
[26.11.2012] - Initial release
[28.11.2012] - Added reference [5], [6] and [7]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk