Acuity CMS 2.6.x (ASP-based) Path Traversal

2012.05.20
Credit: Aung Khant
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

1. OVERVIEW Acuity CMS 2.6.x (ASP-based) versions are vulnerable to Path Traversal. 2. BACKGROUND Acuity CMS is a powerful but simple, extremely easy to use, low priced, easy to deploy content management system. It is a leader in its price and feature class. 3. VULNERABILITY DESCRIPTION The issue is due to the script, /admin/file_manager/browse.asp, not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'path' parameter. It would allow the attacker to access arbitrary files outside of web root directory. 4. VERSIONS AFFECTED Tested with version 2.6.2. 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost/admin/file_manager/browse.asp?field=&form=&path=../../ 6. SOLUTION The Acunity CMS is no longer in active development. It is recommended to user another CMS in active development and support. 7. VENDOR The Collective http://www.thecollective.com.au/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-05-20: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bacuity_cms2.6%20x_(asp)%5D_path_traversal #yehg [2012-05-20]

References:

http://yehg.net/lab/pr0js/advisories/%5Bacuity_cms2.6%20x_(asp)%5D_path_traversal
http://www.thecollective.com.au/
http://yehg.net


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top