T.ME/BIBIL_0DAY
CasperSecurity


Server : Apache/2
System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64
User : gositeme ( 1004)
PHP Version : 8.2.29
Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
Directory :  /home/gositeme/domains/soundstudiopro.com/private_html/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : /home/gositeme/domains/soundstudiopro.com/private_html/SECURITY_VULNERABILITIES_FILE_ACCESS.md
# 🔒 Security Vulnerabilities - File Access & Download

**Date:** 2025-12-02  
**Severity:** 🔴 **HIGH**  
**Status:** ⚠️ **NEEDS IMMEDIATE FIX**

## 🚨 Vulnerabilities Found

### 1. Path Traversal in File Downloads

**Affected Files:**
- `api/download_track.php` (line 70)
- `api/download_crate_track.php` (lines 139-155)
- `utils/play_audio.php` (line 237)
- `utils/audiofiles_public.php` (line 48)

**Issue:**
File paths are constructed from database values (`audio_url`) without proper validation. If an attacker can manipulate the database or if stored values contain path traversal sequences (`../`), they could access files outside the intended directory.

**Example Attack:**
```php
// If audio_url in database is: "../../../etc/passwd"
$file_path = $_SERVER['DOCUMENT_ROOT'] . parse_url($audio_url, PHP_URL_PATH);
// Could result in: /var/www/html/../../../etc/passwd
```

**Risk:**
- 🔴 **HIGH** - Unauthorized file access
- Could expose sensitive files (config files, passwords, etc.)
- Could allow reading arbitrary files on the server

### 2. Missing Session Check

**Affected File:**
- `utils/audiofiles_public.php` (line 35)

**Issue:**
`session_start()` is commented out, but the code still tries to use `$_SESSION['user_id']`. This could cause:
- Undefined variable errors
- Potential bypass of authentication checks
- Inconsistent behavior

**Risk:**
- 🟡 **MEDIUM** - Authentication bypass potential
- Could allow unauthorized access if session check fails

### 3. Insufficient Path Validation

**Affected Files:**
- All download handlers

**Issue:**
While `realpath()` is used in some places, it's not consistently applied, and paths aren't validated to ensure they're within allowed directories before using `realpath()`.

**Risk:**
- 🟡 **MEDIUM** - Path traversal still possible in edge cases

## ✅ Recommended Fixes

### Fix 1: Add Path Validation Function

Create a secure path validation function that:
1. Validates paths are within allowed directories
2. Prevents path traversal
3. Normalizes paths safely

### Fix 2: Whitelist Allowed Directories

Only allow file access from specific whitelisted directories:
- `/audio_files/`
- `/uploads/`
- Other explicitly allowed directories

### Fix 3: Validate Database Values

Before using `audio_url` from database:
1. Validate it matches expected patterns
2. Check it's within allowed directories
3. Sanitize any user-controlled input

### Fix 4: Fix Session Handling

- Uncomment `session_start()` in `audiofiles_public.php`
- Or remove session dependency if public access is intended
- Add proper authentication checks

## 🎯 Priority Actions

1. **IMMEDIATE** - Fix path traversal vulnerabilities
2. **HIGH** - Add path validation to all file handlers
3. **MEDIUM** - Fix session handling in `audiofiles_public.php`
4. **MEDIUM** - Add comprehensive input validation

## 📝 Files Requiring Fixes

1. ✅ **FIXED** `api/download_track.php` - Added path validation using `validateAudioUrl()`
2. ✅ **FIXED** `api/download_crate_track.php` - Added path validation using `validateAudioUrl()`
3. ✅ **FIXED** `api/download_variation.php` - Fixed critical vulnerability (was using `readfile()` directly on URL/path)
4. ⚠️ `utils/play_audio.php` - Has token validation, but should review path validation
5. ⚠️ `utils/audiofiles_public.php` - Needs session fix (session_start() commented out)

## ✅ Security Fixes Applied

### Created Security Utility
- ✅ `includes/file_security.php` - New security utility with:
  - `validateFilePath()` - Prevents path traversal
  - `validateAudioUrl()` - Validates audio URLs (local/external)
  - `sanitizeDownloadFilename()` - Sanitizes filenames

### Fixed Files
1. **`api/download_variation.php`** - **CRITICAL FIX**
   - Was using `readfile()` directly on `audio_url` without validation
   - Now uses `validateAudioUrl()` to check paths
   - Handles both local files and external URLs safely
   - Prevents path traversal attacks

2. **`api/download_track.php`** - **FIXED**
   - Added `validateAudioUrl()` to validate paths
   - Prevents path traversal
   - Handles external URLs safely

3. **`api/download_crate_track.php`** - **FIXED**
   - Replaced manual path construction with `validateAudioUrl()`
   - Prevents path traversal
   - Uses secure filename sanitization

## 🔒 Security Improvements

1. **Path Traversal Prevention**
   - All file paths now validated using `validateFilePath()`
   - Ensures paths are within allowed directories
   - Uses `realpath()` to resolve and validate paths
   - Blocks access outside `DOCUMENT_ROOT`

2. **Input Validation**
   - All `audio_url` values from database are validated
   - External URLs validated with `filter_var()`
   - Local paths checked against whitelist

3. **Whitelist Approach**
   - Only allows files from:
     - `/audio_files/`
     - `/uploads/`
   - All other directories blocked

## ⚠️ Remaining Issues

1. **`utils/audiofiles_public.php`**
   - `session_start()` is commented out but code uses `$_SESSION['user_id']`
   - Needs to either enable session or remove session dependency
   - Path validation should be added if not already present

2. **`utils/play_audio.php`**
   - Has token validation (good)
   - Has referrer checks (good)
   - Should verify path validation is sufficient

CasperSecurity Mini