#3410 - Directory traversal (any file download)

cubecart · Oct 30, 2023 · 5c9f630 · 5c9f630
1 parent 100cbe8
commit 5c9f630
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/admin/sources/filemanager.index.inc.php b/admin/sources/filemanager.index.inc.php
@@ -17,7 +17,10 @@
 
 
 if(isset($_GET['download_file']) && !empty($_GET['download_file'])) {
-    $file = CC_ROOT_DIR.'/'.base64_decode($_GET['download_file']);
+    $file = base64_decode($_GET['download_file']);
+    $file = str_replace(array('..'.DIRECTORY_SEPARATOR,'.'.DIRECTORY_SEPARATOR),'',$file);
+    $file = ltrim($file, DIRECTORY_SEPARATOR);
+    $file = CC_ROOT_DIR.'/'.$file;
     if(file_exists($file)) { // It really should exist
         deliverFile($file);
     }