High-Tech Bridge Security Research Lab discovered path traversal vulnerability in AWS XMS, which can be exploited to read contents of arbitrary files.
- Path Traversal in AWS XMS: CVE-2013-2474
The vulnerability exists due to insufficient filtration of βwhatβ HTTP GET parameter passed to β/importer.phpβ script before using it in PHP βfile()β function. A remote attacker can read contents of arbitrary files on the target system.
The vulnerable script sets βtext/javascriptβ Content-Type for the output data, which makes exploitation of the vulnerability via a web browser inconvenient. Exploitation via telnet or wget utilities is easier.
The following PoC (Proof of Concept) code uses wget utility to download source code of β/default.phpβ file, which contains application configuration data and administratorβs credentials:
wget http://[host]/importer.php?what=defaults.php%00.js
To bypass protections against NULL-byte injection (implemented in PHP 5.3.4 and later versions) or enabled βmagic_quotes_gpcβ, alternative techniques based on path normalization and length restrictions can be used.
The second PoC code uses a large amount of β/β symbols (4096 is sufficient for the majority of platforms) to bypass the restrictions and get source code of the β/default.phpβ file:
wget http://[host]/importer.php?what=defaults.php///////β¦//////.js