Easyweb Filemanager Directory Traversal

Full Version: Easyweb Filemanager Directory Traversal

GovernmentSecurity.org > The Archives > Exploit Articles

qcred11

Jul 29 2004, 10:41 PM

QUOTE

Product:
EasyWeb FileManager Module - http://home.postnuke.ru/index.php

Description:
EasyWeb FileManager Module for PostNuke is vulnerable to a directory traversal
problem which allows retrieval of arbitrary files from the remote system.

Systems Affected:
EasyWeb FileManager 1.0 RC-1

Technical Description:
The PostNuke module works by loading a directory and/or file via the "pathext"
(directory) and "view" (file) variables. Providing a relative path (from the
document repository) in the "pathext" variable will cause FileManager to
provide a directory listing of that diretory. Selecting a file in that listing,
or putting a file name in the "view" variable, will cause EasyWeb to load the
file specified. Only files and directories which can be read by the system user
running PHP can be retrieved.

Assuming PostNuke is installed at the root level:
/etc directory listing:
/index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc

/etc/passwd file:
/index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc/&view=passwd

Fix/Workaround:
Use another file manager module for PostNuke, as the authors do not appear to be
maintaining EW FileManager.

Vendor Status:
Vendor was contacted but did not respond

Source: http://seclists.org/lists/bugtraq/2004/Jul/0285.html

SET_coo

Jul 29 2004, 11:31 PM

just a note to that, it won't work unless you are logged in to the site. utherwise, it will say NO_AUTH.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.