appRain 4.0.3: Path Traversal

appRain 4.0.3: Path Traversal

Date: 2015-12-02 10:33:48
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: appRain 4.0.3
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website:
Vulnerability Type: Path Traversal
Remote Exploitable: Yes
Reported to vendor: 10/02/2015
Disclosed to public: 12/02/2015
Release mode: Full Disclosure
CVE: requested, but not assigned
Credits Tim Coen of Curesec GmbH

2. Vulnerability Description


Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N


The "loc" Parameter of the appeditor is vulnerable to directory traversal, which allows the viewing of arbitrary files.

Admin credentials are required to view files. It should be noted that an admin already has code execution via the designated PHP file editor. Still, this is an access violation in the context of this component.

3. Proof of Concept


6. Solution

This issue was not fixed by the vendor.

7. Report Timeline

10/02/2015 Informed Vendor. Mailbox is full, used instead (no reply)
10/21/2015 Reminded Vendor of Disclosure Date
10/21/2015 Vendor anounces fix for 11/02/2015
11/04/2015 No fix released, extended public disclosure date to 11/11/2015
11/05/2015 Vendor asks for list of organizations that may help implementing fixes
11/11/2015 Replied that we do not have lists, and that we do not have the resources to implement fixes ourselves. Extended release date to 11/18/2015 and offered further extension if needed (no reply)
11/17/2015 CVE Requested (no reply)
11/24/2015 Reminded Vendor of release date, extended date to 12/02/2015 and offered extension if needed (no reply)
12/02/2015 Disclosed to public