PHP Downloader Vulnerability

Hi Folks,
this morning I wanna point out a very useful (ok, it depends :) ) vulnerability found inside some PHP Downloader. First of all Let me say what is a vulnerability: " We call vulnerability a bug with security implications " . So if your code has a bug probably it could be vulnerable at some kind of attacks. In this particular scenario the code looks like that:




No controls on file type, no controls on location. Just give the file's name and the file's path and it'll open it in read mode. This is a bug. Why this bug can been considered Vulnerability ? Because if you ask some specific System's files to this downloader implementation, it will give you every files you want.
Just for example you can try with the following URI (maybe someone has been fixed):


http://www.mpbp.gov.my/download.php?file=download.php
http://elearning.mmu.edu.my/download.php?file=download.php
http://www.utem.edu.my/fkp/latihanIndustri/download.php?file=../../../../../../etc/passwd
http://www.moe.gov.my/pipp/download.php?filename=/../../../../../../etc/passwd


One of the previous URI gave me the following file which shows the passwd file of the machine. Here it is.



As you may see, from the users names, it's very easy to figure out which kind of services the machine has. For instance the machine runs clam AntiVirus, ssh server, virtual console, MySQL and so forth. For the most experts of you, it's easy forging this request exploiting the server asking for passwords' file and/or for system's files... Thanks to google, this bug which is just became a Vulnerability; can reach the MassVulnearbility status and - if coded inside a script - (for instance a perl script) it can become a Massive Exploit. Why I'm saying that ? Using google it's easy to find lots of different pages affected to this bug. Just typing : inurl:”download.php?file=*.pdf” you will find lots of download.php file. Now try to change some parameters on the URI bar and here we are ! You've just found plenty of vulnerable downloader scripts. Well, this post doesn't want teaching how to overuse this Vulnerability, it doesn't want teaching hacking and/or how to break security too. I wanna only say -through it- that, not every bug is a vulnerability and also not every vulnerability comes from a bug (let think to Social Engineering), BUT most of vulnerabilities come from developer and/or programming mistakes. For this reason it so important don't sleep a code.... trying to avoid this elementary security mistakes.... and it's so important having a good software engineering project behind your shoulders able to prevent and, at least, to correct quickly these mistakes.