Arbitrary File Download
The web application was vulnerable to directory traversal leading to un-authenticated download of arbitrary files.
Here is a story of security bug -Arbitrary File Download. Yes!! this isn’t a rare case scenario. But, thought of a short writeup as I came across this vulnerability after a while during security assessment.
Web applications provide file download functionality for business needs. If they do not limit users on which files to view or download, a malicious user may access restricted directories and files outside of the context of the application.
Arbitrary File Download vulnerability abuses the file download functionality of an application which fails to restrict the malicious users to go beyond from specific directory to download sensitive files on the server.
The Scenario
As mentioned earlier, I will keep this real quick & short — The Web application had two-level user access, normal and admin users. Here normal users can upload files which later gets rendered for admin user with the download option.
Clicking on the file download option would provide the path parameter, which is a classic scenario for directory traversal 😉. Few tries and boom! I can download passwd file from the server. Also, it was possible to download multiple other sensitive files from the server including /etc/shadow file. Yess!! the web server is running as root…sadly, I can’t go beyond this point due to testing restrictions.
This scenario may look alike LFI at first impression, as I traversed through all directories back to access the gems :). However, they are different considering the mode of exploitation. But, both take advantage of directory traversal allowed on the server.
First, the file download scenario allowed arbitrary file download. Second, when combined with forceful browsing it turned into unauthenticated arbitrary file download.
Hope you enjoyed reading! ☺
