lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sun, 25 Jul 2004 15:41:20 +0300
From: Noam Rathaus <noamr@...ondsecurity.com>
To: bugtraq@...urityfocus.com
Cc: sullo@...t.net, vulnwatch@...nwatch.org
Subject: Re: EasyWeb FileManager Directory Traversal


On Saturday 24 July 2004 03:40, sullo@...t.net wrote:
> Product:
> EasyWeb FileManager Module - http://home.postnuke.ru/index.php
>
> Description:
> EasyWeb FileManager Module for PostNuke is vulnerable to a directory
> traversal problem which allows retrieval of arbitrary files from the remote
> system.
>
> Systems Affected:
> EasyWeb FileManager 1.0 RC-1
>
> Technical Description:
> The PostNuke module works by loading a directory and/or file via the
> "pathext" (directory) and "view" (file) variables. Providing a relative
> path (from the document repository) in the "pathext" variable will cause
> FileManager to provide a directory listing of that diretory. Selecting a
> file in that listing, or putting a file name in the "view" variable, will
> cause EasyWeb to load the file specified. Only files and directories which
> can be read by the system user running PHP can be retrieved.
>
> Assuming PostNuke is installed at the root level:
> /etc directory listing:
> /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../e
>tc
>
> /etc/passwd file:
> /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../e
>tc/&view=passwd
>
> Fix/Workaround:
> Use another file manager module for PostNuke, as the authors do not appear
> to be maintaining EW FileManager.
>
> Vendor Status:
> Vendor was contacted but did not respond.
>
> References:
> OSVDB-8193           http://www.osvdb.org/8193
> Original Advisory    http://www.cirt.net/advisories/ew_file_manager.shtml
>
>
>
>
> --
>
> http://www.cirt.net/   |   http://www.osvdb.org/
Hi,

Are you certain of your findings? You are stating that anyone can access 
through the EW FileManager module arbitrary files (that are world-readable)…

This doesn’t happen unless you have strictly configured your EW FileManager to 
work badly, as the PHP will return NOAUTH on any unauthorized user accessing 
the administrator interface, and specifically manager functionality.

The code that causes this can be found in pnadmin.php:
function ew_filemanager_admin_manager() {
...
...

  if(!pnSecAuthAction(0, 'ew_filemanager::', '::', ACCESS_EDIT)) {
    $output->Text(_NOAUTH);
    return $output->GetOutput();
  }

...

So you exploit won't work unless you are logged in to the EW FileManager. If 
this is true, then this greatly diminishes the validity of your 
vulnerability, as EW FileManager's purpose is:
( http://home.postnuke.ru/index.php?module=subjects&func=viewpage&pageid=3 )
Module designed to manage file and directories inside directory given by site 
admin.

So allowing someone you don't trust access to this PHP causes more danger than 
the simple fact that he can view files... he can upload new PHPs, that then 
can get executed, and provide a "complete" shell.

-- 
Thanks
Noam Rathaus
CTO
Beyond Security Ltd.

Join the SecuriTeam community on Orkut:
http://www.orkut.com/Community.aspx?cmm=44441

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ