phpdevshell team mailing list archive

Thread
Date

[Bug 887044] Re: gzip injection utter and easy serious security flaw

To: phpdevshell@xxxxxxxxxxxxxxxxxxx
From: TitanKing <887044@xxxxxxxxxxxxxxxxxx>
Date: Mon, 07 Nov 2011 09:30:09 -0000
Reply-to: Bug 887044 <887044@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This is an extremely bad flaw, I have no idea how this slipped our eye.
I have rewritten the whole compression model and made sure that this is
now impossible!

-- 
You received this bug notification because you are a member of
PHPDevShell, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/887044

Title:
  gzip injection utter and easy serious security flaw

Status in Open Source PHP RAD Framework with UI.:
  Fix Committed

Bug description:
  I just downloaded PHPDS (I did not know the existence of this
  framework, discovered it on a demo of resellerspanel control panel).

  I opened the two root files index.php and gzip.php to check the code.
  In gzip.php I found a serious security problem. File locations are not
  filtered, and I can download any file from the demo.phpdevshell.org...
  even config files... depending on how the server/hosting account is
  setup, I imagine I could download any os file...

  Example:
  http://demo.phpdevshell.org/gzip.php?file=config/single-site.config.php
  http://demo.phpdevshell.org/gzip.php?file=other/service.php

  If I examined how the framework works, I could probably get files from
  write folder (logs, cache etc).

  Please look into it - thank you.
  Antonis A.

To manage notifications about this bug go to:
https://bugs.launchpad.net/phpdevshell/+bug/887044/+subscriptions

References

[Bug 887044] [NEW] gzip injection utter and easy serious security flaw
From: TitanKing, 2011-11-07