CamanJS-master/proxies/caman_proxy.php open proxy

Question

CamanJS-master/proxies/caman_proxy.php open proxy

lcashdol opened this issue 9 years ago · comments

Larry W. Cashdollar commented 9 years ago

Hello All,
caman_proxy.php acts as an unauthenticated open proxy, it can also be used to read local files on a system as long as they end with an image extension like .jpg,.png,.gif,.jpeg

Open Proxy:
http://www.vapidlabs.com/wp-content/plugins/grand-media/assets/image-editor/camanjs/proxies/caman_proxy.php?camanProxyUrl=http://192.168.0.2/banner3.jpeg

Local Image Files:
http://www.vapidlabs.com/wp-content/plugins/grand-media/assets/image-editor/camanjs/proxies/caman_proxy.php?camanProxyUrl=/tmp/loader.gif
I've also filed a vulnerability report with the authors of the grand media wordpress plugin.

If a user changes the default behavior of requiring a specific extension on line 4 to true
define('ALLOW_NO_EXT', false);
Then caman_proxy.php can be used to read sensitive system files on a local system.

Larry W. Cashdollar commented 8 years ago

Closing.

Ed · Answer 1 · Sat Apr 30 2016 03:01:51 GMT+0800 (China Standard Time)

The link is bad....

Larry W. Cashdollar · Answer 2 · Mon May 02 2016 07:23:59 GMT+0800 (China Standard Time)

Ah sorry those were just example proof of concept exploits, this is a better write up:
http://www.vapidlabs.com/advisory.php?v=122