appRain 4.0.3 Path Traversal

`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: appRain 4.0.3  
Fixed in: not fixed  
Fixed Version Link: n/a  
Vendor Website: [email protected]  
Vulnerability Type: Path Traversal  
Remote Exploitable: Yes  
Reported to vendor: 10/02/2015  
Disclosed to public: 12/02/2015  
Release mode: Full Disclosure  
CVE: requested, but not assigned  
Credits Tim Coen of Curesec GmbH  
  
2. Vulnerability Description  
  
CVSS  
  
Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N  
  
Description  
  
The "loc" Parameter of the appeditor is vulnerable to directory traversal,  
which allows the viewing of arbitrary files.  
  
Admin credentials are required to view files. It should be noted that an admin  
already has code execution via the designated PHP file editor. Still, this is  
an access violation in the context of this component.  
  
3. Proof of Concept  
  
  
http://localhost/apprain-source-4.0.3/appeditor?loc=../../../../../../../etc/passwd  
  
6. Solution  
  
This issue was not fixed by the vendor.  
  
7. Report Timeline  
  
10/02 Informed Vendor. Mailbox [email protected] is full, used  
/2015 [email protected] instead (no reply)  
10/21 Reminded Vendor of Disclosure Date  
/2015  
10/21 Vendor anounces fix for 11/02/2015  
/2015  
11/04 No fix released, extended public disclosure date to 11/11/2015  
/2015  
11/17 CVE Requested (no reply)  
/2015  
11/24 Reminded Vendor of release date, extended date to 12/02/2015 and offered  
/2015 extension if needed (no reply)  
12/02 Disclosed to public  
/2015  
  
  
Blog Reference:  
https://blog.curesec.com/article/blog/appRain-403-Path-Traversal-113.html  
  
--  
blog: https://blog.curesec.com  
tweet: https://twitter.com/curesec  
  
Curesec GmbH  
Curesec Research Team  
Romain-Rolland-Str 14-24  
13089 Berlin, Germany  
  
  
`