XOOPS 2.5.7.2 Directory Traversal

XOOPS 2.5.7.2 Directory Traversal: Posted Mar 18, 2016; Authored by hyp3rlinx | Site hyp3rlinx.altervista.org; XOOPS version 2.5.7.2 has checks to defend against directory traversal attacks. However, they can be easily bypassed by simply issuing "..././" instead of "../".; tags | exploit; SHA-256 | 8e0c7e604227b0d036e3789cef8b9827cdedcbebab054b865cd01c359cf31f18; Download | Favorite | View

XOOPS 2.5.7.2 Directory Traversal

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/XOOPS-DIRECTORY-TRAVERSAL.txt



Vendor:
=============
xoops.org



Product:
================
Xoops 2.5.7.2



Vulnerability Type:
===========================
Directory Traversal Bypass



Vulnerability Details:
=====================

Xoops 2.5.7.2 has checks to defend against directory traversal attacks.
However, they can be easily bypassed by simply issuing "..././" instead of
"../"


References:
http://xoops.org/modules/news/article.php?storyid=6757


Exploit Codes:
==============


In Xoops code in 'protector.php' the following check is made for dot dot
slash "../" in HTTP requests

/////////////////////////////////////////////////////////////////////////////////

if( is_array( $_GET[ $key ] ) ) continue ;
if ( substr( trim( $val ) , 0 , 3 ) == '../' || strstr( $val , '../../' ) )
{
 $this->last_error_type = 'DirTraversal' ;
 $this->message .= "Directory Traversal '$val' found.\n" ;

////////////////////////////////////////////////////////////////////////////////

The above Xoops directory traversal check can be defeated by using
 ..././..././..././..././

you can test the theory by using example below test case by supplying
..././ to GET param.

$val=$_GET['c'];

if ( substr( trim( $val ) , 0 , 3 ) == '../' || strstr( $val , '../../' ) )
{
echo "traversal!";
}else{
echo "ok!" . $val;
}



Disclosure Date:
==================================
Feb 2, 2016: Vendor Notification
Vendor confirms and patches Xoops
March 17, 2016 : Public Disclosure

==================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere. (c) hyp3rlinx.

hyp3rlinx

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

XOOPS 2.5.7.2 Directory Traversal

XOOPS 2.5.7.2 Directory Traversal

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

XOOPS 2.5.7.2 Directory Traversal

Share This

XOOPS 2.5.7.2 Directory Traversal

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems