Thursday, 6 June 2013

RuubikCMS 1.1.1 (tinybrowser.php, folder param) - Path Traversal Vulnerability

I found very simple Path traversal Vulnerability for RuubikCMS 1.1.1 , which can be exploited to list available files and folders from operating system,  I tested it on windows operating system.

Vulnerable Links :

tinybrowser.php :


File and Directory names listing

  • By exploiting vulnerability in this page, we can list files and directories present on server, but observed that .php files are not being shown.

Folder created in Xampp directory

  • We can create folders by using above url, wherever we want!!!


File uploaded in Xampp root directory

  • Using directory traversal exploit, we can upload files in specific directory, first we need to hit above URL which sets path internally to "c:\xampp" in my case, and now when you select file to upload and click on upload button, your file will be uploaded to "xampp" directory.
  • We could go ahead and upload PHP shell , but in this case when we try to do so, it throws permission error, but we can definitely upload ".html" wherever we want.


Deleted Files from Xampp Directory (hack.txt)

  • Exploiting same vulnerability in edit.php page we can delete files by selecting directory using above exploit and then delete files listed.
  • Observed that files from important directories like "php" was not deleted using this procedure

Exploit has been published on :      [ EDB-ID: 25973 ]

No comments:

Post a Comment