Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

CakePHP 2.3.7 / 2.2.8 Local File Inclusion

🗓️ 13 Aug 2013 00:00:00Reported by Takeshi TeradaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 31 Views

CakePHP 2.3.7 / 2.2.8 Local File Inclusion Vulnerabilit

Code
`CVE Number: N/A (not assigned)  
Title: CakePHP AssetDispatcher Local File Inclusion Vulnerability  
Affected Software: Confirmed on CakePHP v2.3.7, v2.2.8  
(prior versions may also be affected)  
Credit: Takeshi Terada of Mitsui Bussan Secure Directions, Inc.  
Issue Status: v2.3.8 & 2.2.9 was released which fixes this vulnerability  
  
Overview:  
CakePHP is an open-source web application framework for PHP.  
CakePHP (v2.3.7, 2.2.8 and possibly prior versions) is vulnerable to  
LFI (Local File Inclusion) attack. Remote attacker can abuse this  
vulnerability to steal files on the server or execute PHP commands,  
if the target application has one or more themes or plugins. It is  
caused by insufficient input validation in AssetDispatcher class.  
  
Details:  
CakePHP's AssetDispatcher class serves asset resources (such as image  
files) stored under individual theme or plugin directory. This class  
determines requested resource's path based on PATH_INFO of request URI.  
  
To prevent attacks, this class validates PATH_INFO and stops loading  
requested resource if PATH_INFO contains ".." sequence. But after the  
validation step, PATH_INFO will be urldecoded in _getAssetFile(). This  
allows attackers to bypass ".." check by urlencoded dot chars (%2e).  
  
I present two examples of attack URI. In both examples, Cake serves the  
content of /etc/passwd in HTTP response body.  
  
UR1: http://victim-host/cakephp-2.3.7/theme/Test1/%2e.//%2e.//%2e.//%2e.  
//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e./etc/passwd  
  
Successful attack requires one or more themes on the target server.  
In the example above, the target application must have "Test1" theme.  
This restriction is due to file_exists() check in beforeDispatch().  
  
URL2: http://victim-host/cakephp-2.3.7/DebugKit/%2e.//%2e.//%2e.//%2e.//  
%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e./etc/passwd  
  
Second example is almost same as first one. The difference is that  
second one requires one or more Cake plugins with webroot directory.  
The plugins must be actually enabled on the target server.  
  
The requested resource is served via include statement, so that PHP  
code execution by LFI is possible if the target Cake application  
allows uploading files such as image, text and so on.  
  
Timeline:  
2013/07/16 Reported to CakePHP Security ML  
2013/07/18 Vender announced v2.3.8 & 2.2.9  
2013/08/13 Disclosure of this advisory  
  
Recommendation:  
Upgrade to the latest version.  
  
Reference:  
http://bakery.cakephp.org/articles/markstory/2013/07/18/cakephp_2_3_8_2_2_9_released  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Aug 2013 00:00Current
7.4High risk
Vulners AI Score7.4
cakephplocal file inclusionvulnerabilityassetdispatchertakeshi teradamitsui bussan secure directionsinc.lfiphpsecurity mldisclosureupgradepatchexploitweb application framework
31