appRain 4.0.3: Path Traversal
Date: 2015-12-02 10:33:481. Introduction
| Affected Product: | appRain 4.0.3 |
| Fixed in: | not fixed |
| Fixed Version Link: | n/a |
| Vendor Website: | info@apprain.com |
| Vulnerability Type: | Path Traversal |
| Remote Exploitable: | Yes |
| Reported to vendor: | 10/02/2015 |
| Disclosed to public: | 12/02/2015 |
| Release mode: | Full Disclosure |
| CVE: | requested, but not assigned |
| Credits | Tim Coen of Curesec GmbH |
2. Vulnerability Description
CVSS
Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
Description
The "loc" Parameter of the appeditor is vulnerable to directory traversal, which allows the viewing of arbitrary files.
Admin credentials are required to view files. It should be noted that an admin already has code execution via the designated PHP file editor. Still, this is an access violation in the context of this component.
3. Proof of Concept
http://localhost/apprain-source-4.0.3/appeditor?loc=../../../../../../../etc/passwd
6. Solution
This issue was not fixed by the vendor.
7. Report Timeline
| 10/02/2015 | Informed Vendor. Mailbox info@apprain.com is full, used security@apprain.com instead (no reply) |
| 10/21/2015 | Reminded Vendor of Disclosure Date |
| 10/21/2015 | Vendor anounces fix for 11/02/2015 |
| 11/04/2015 | No fix released, extended public disclosure date to 11/11/2015 |
| 11/05/2015 | Vendor asks for list of organizations that may help implementing fixes |
| 11/11/2015 | Replied that we do not have lists, and that we do not have the resources to implement fixes ourselves. Extended release date to 11/18/2015 and offered further extension if needed (no reply) |
| 11/17/2015 | CVE Requested (no reply) |
| 11/24/2015 | Reminded Vendor of release date, extended date to 12/02/2015 and offered extension if needed (no reply) |
| 12/02/2015 | Disclosed to public |