ExpressionEngine: Filename and directory enumeration

2016-07-05T05:37:57
ID H1:149273
Type hackerone
Reporter strukt
Modified 2016-08-08T02:42:35

Description

Hello,

The "Import File Converter" can be abused by an admin to map the server directories and files, because the "File location" field doesn't sanitize the user input and allows access to root directories and files.

Steps to reproduce:

1- Go to http://localhost/ee/admin.php?/cp/utilities/import_converter 2- Set the "File location" to ///etc/, notice that the error "You must have at least 3 fields: username, screen_name, and email address", proving that the file exists. 3- Try with ///strukt/, notice the different error message, now it says "The path you submitted is not valid.", meaning the directory doesn't exist. 3- Now try with ///etc/passwd, the first error message shows up. 4- Finally, try with ///etc/strukt, the second message appears.

More successful test cases:

///etc/hosts ///usr/ ///var/ ../../../../../../../../etc/passwd

Regards